├── map ├── images │ ├── waldo.png │ ├── cytoscape_all.png │ ├── permission_role.png │ └── role_permission.png ├── example │ ├── graph.json.gz │ ├── graph.xml.gz │ └── graph.groovy.gz ├── go.mod ├── main.go ├── README.md └── go.sum ├── query ├── images │ ├── dwd_sa.png │ ├── dwd_auth.png │ ├── org_iam.png │ ├── a_gcs_viewer.png │ ├── service_usage.png │ ├── dwd_impersonate.png │ └── org_custom_role.png ├── go.mod ├── README.md └── main.go ├── README.md └── LICENSE /map/images/waldo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/salrashid123/gcp_iam/HEAD/map/images/waldo.png -------------------------------------------------------------------------------- /query/images/dwd_sa.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/salrashid123/gcp_iam/HEAD/query/images/dwd_sa.png -------------------------------------------------------------------------------- /map/example/graph.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/salrashid123/gcp_iam/HEAD/map/example/graph.json.gz -------------------------------------------------------------------------------- /map/example/graph.xml.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/salrashid123/gcp_iam/HEAD/map/example/graph.xml.gz -------------------------------------------------------------------------------- /query/images/dwd_auth.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/salrashid123/gcp_iam/HEAD/query/images/dwd_auth.png -------------------------------------------------------------------------------- /query/images/org_iam.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/salrashid123/gcp_iam/HEAD/query/images/org_iam.png -------------------------------------------------------------------------------- /map/example/graph.groovy.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/salrashid123/gcp_iam/HEAD/map/example/graph.groovy.gz -------------------------------------------------------------------------------- /map/images/cytoscape_all.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/salrashid123/gcp_iam/HEAD/map/images/cytoscape_all.png -------------------------------------------------------------------------------- /map/images/permission_role.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/salrashid123/gcp_iam/HEAD/map/images/permission_role.png -------------------------------------------------------------------------------- /map/images/role_permission.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/salrashid123/gcp_iam/HEAD/map/images/role_permission.png -------------------------------------------------------------------------------- /query/images/a_gcs_viewer.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/salrashid123/gcp_iam/HEAD/query/images/a_gcs_viewer.png -------------------------------------------------------------------------------- /query/images/service_usage.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/salrashid123/gcp_iam/HEAD/query/images/service_usage.png -------------------------------------------------------------------------------- /query/images/dwd_impersonate.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/salrashid123/gcp_iam/HEAD/query/images/dwd_impersonate.png -------------------------------------------------------------------------------- /query/images/org_custom_role.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/salrashid123/gcp_iam/HEAD/query/images/org_custom_role.png -------------------------------------------------------------------------------- /map/go.mod: -------------------------------------------------------------------------------- 1 | module main 2 | 3 | go 1.15 4 | 5 | require ( 6 | github.com/go-gremlin/gremlin v0.0.0-20180314122959-0036b9fca17f // indirect 7 | github.com/gorilla/websocket v1.4.2 // indirect 8 | github.com/satori/go.uuid v1.2.0 // indirect 9 | golang.org/x/time v0.0.0-20201208040808-7e3f01d25324 // indirect 10 | google.golang.org/api v0.39.0 // indirect 11 | ) 12 | -------------------------------------------------------------------------------- /query/go.mod: -------------------------------------------------------------------------------- 1 | module main 2 | 3 | go 1.19 4 | 5 | require ( 6 | cloud.google.com/go/asset v1.7.0 7 | cloud.google.com/go/policytroubleshooter v1.2.0 8 | cloud.google.com/go/storage v1.27.0 9 | github.com/golang/glog v1.0.0 10 | github.com/golang/protobuf v1.5.2 11 | github.com/salrashid123/gcp_error_handler/golang/errors v0.0.0-20210510124102-42fad0511fe1 12 | golang.org/x/oauth2 v0.0.0-20221014153046-6fdb5e3db783 13 | google.golang.org/api v0.99.0 14 | google.golang.org/genproto v0.0.0-20221014173430-6e2ab493f96b 15 | ) 16 | 17 | require ( 18 | cloud.google.com/go v0.104.0 // indirect 19 | cloud.google.com/go/compute v1.10.0 // indirect 20 | cloud.google.com/go/iam v0.3.0 // indirect 21 | github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e // indirect 22 | github.com/google/go-cmp v0.5.9 // indirect 23 | github.com/google/uuid v1.3.0 // indirect 24 | github.com/googleapis/enterprise-certificate-proxy v0.2.0 // indirect 25 | github.com/googleapis/gax-go/v2 v2.5.1 // indirect 26 | go.opencensus.io v0.23.0 // indirect 27 | golang.org/x/net v0.0.0-20221012135044-0b7e1fb9d458 // indirect 28 | golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10 // indirect 29 | golang.org/x/text v0.3.7 // indirect 30 | golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect 31 | google.golang.org/appengine v1.6.7 // indirect 32 | google.golang.org/grpc v1.50.0 // indirect 33 | google.golang.org/protobuf v1.28.1 // indirect 34 | ) 35 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | Google Cloud IAM Troubleshooting scripts intended to provide several indicators of users permissions on GCP resources. 4 | 5 | * `inspect/query` 6 | - [checkEndUserPermissions](#checkEndUserPermissions) 7 | 8 | - Allows an end user to ask "of all the permissions this resource accepts, which ones do I have?" 9 | - Allows a domain administrator to _impersonate_ any user and inspect which permissions that user has on a resource. 10 | 11 | - [usePolicyTroubleshooter](#usePolicyTroubleshooter) 12 | 13 | - Use [IAM Policy Troubleshooter](https://cloud.google.com/iam/docs/troubleshooting-access) API to determine if the user has IAM access to a resource. 14 | 15 | - Display if [IAM Conditions](https://cloud.google.com/iam/docs/conditions-overview) are applicable. 16 | 17 | - Backtrack the [IAM Resource Hierarchy](https://cloud.google.com/iam/docs/resource-hierarchy-access-control) from the resource to root and display all the IAM Roles present at each node. (`TODO`: display subset of permissions at each node applicable to the target resource) 18 | 19 | - [useIAMPolicyRequest](#useIAMPolicyRequest) 20 | 21 | - Use [IAM Policy Analyzer](https://cloud.google.com/asset-inventory/docs/analyzing-iam-policy) to help determine if a given user has access to a resource through indirect capabilities: 22 | 23 | - Through nested or direct group memberships bound to the resource 24 | - Through [service account impersonation](https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials) where the service account has direct or indirect access. 25 | - Other mechanisms described [here](https://cloud.google.com/asset-inventory/docs/analyzing-iam-policy#overview) 26 | 27 | * `map/` 28 | 29 | The other utility provided here is basically just a forward and reverse map and graph of IAM `Roles->Permissions` and `Permissions->Roles`. Mostly just fun stuff 30 | 31 | See [Google Cloud IAM Roles-Permissions Public Dataset](/articles/2021/iam_bq_dataset/) 32 | 33 | 34 | Note that users can have access to resources through various mechanisms and restrictions: 35 | 36 | - User has direct IAM binding on the resource 37 | - User has indirect access through 38 | * [group membership](https://cloud.google.com/iam/docs/groups-in-cloud-console) 39 | * [serviceAccount Impersonation](https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials) 40 | - User has access through [Workload Identity Federation](https://cloud.google.com/iam/docs/workload-identity-federation) 41 | - Access restricted through [IAM Conditions](https://cloud.google.com/iam/docs/conditions-overview) 42 | 43 | Each of these scripts attempts to surface aspects of these access capabilities and restricts. The intent is to use them to surface the full access scope capability for a user. 44 | 45 | > ** This code is NOT supported by Google, really ** 46 | 47 | > NOTE: this utility is just a way to list and test Roles/Permissions. It does not account for IAP Context-Aware access, VPC-SC or IAM Conditions 48 | 49 | 50 | ### References 51 | 52 | - [Troubleshooting access](https://cloud.google.com/iam/docs/troubleshooting-access) 53 | - [Analyzing IAM policies](https://cloud.google.com/asset-inventory/docs/analyzing-iam-policy) 54 | - [Troubleshooting policy and access problems on Google Cloud](https://cloud.google.com/solutions/troubleshooting-policy-and-access-problems) 55 | - [Representing Gsuites and Google Cloud Org structure as a Graph Database](https://github.com/salrashid123/gsuites_gcp_graphdb) -------------------------------------------------------------------------------- /map/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "bytes" 5 | "context" 6 | "encoding/json" 7 | "errors" 8 | "flag" 9 | "fmt" 10 | "io/ioutil" 11 | "os" 12 | "strings" 13 | "sync" 14 | 15 | "github.com/golang/glog" 16 | "golang.org/x/time/rate" 17 | "google.golang.org/api/cloudresourcemanager/v1" 18 | "google.golang.org/api/iterator" 19 | 20 | asset "cloud.google.com/go/asset/apiv1" 21 | //"github.com/go-gremlin/gremlin" 22 | "google.golang.org/api/iam/v1" 23 | assetpb "google.golang.org/genproto/googleapis/cloud/asset/v1" 24 | ) 25 | 26 | // go run main.go -v 20 -alsologtostderr 27 | 28 | type Roles struct { 29 | Roles []Role `json:"roles"` 30 | } 31 | 32 | type Role struct { 33 | Name string `json:"name"` 34 | Role iam.Role `json:"role"` 35 | IncludedPermissions []string `json:"included_permissions"` 36 | } 37 | 38 | type Permissions struct { 39 | Permissions []Permission `json:"permissions"` 40 | } 41 | 42 | type Permission struct { 43 | //Permission iam.Permission // there's no direct way to query a given permission detail! 44 | Name string `json:"name"` 45 | Roles []string `json:"roles"` 46 | } 47 | 48 | const ( 49 | projectNumber = "248066739582" 50 | maxRequestsPerSecond float64 = 4 // "golang.org/x/time/rate" limiter to throttle operations 51 | burst int = 4 52 | ) 53 | 54 | var ( 55 | cmutex = &sync.Mutex{} 56 | pmutex = &sync.Mutex{} 57 | projectID = flag.String("projectID", "fabled-ray-104117", "GCP ProjetID") 58 | addr = flag.String("gremlin-server", os.Getenv("GREMLIN_SERVER"), "gremlin server address") 59 | organization = flag.String("organization", "", "OrganizationID") 60 | checkPermission = flag.String("checkPermission", "compute.instances.get", "Permission to check") 61 | checkResource = flag.String("checkResource", "projects/fabled-ray-104117/zones/us-central1-a/instances/external", "Permission to check") 62 | useAssetInventoryAPI = flag.Bool("useAssetInventoryAPI", false, "Use AssetInventory API to get projects (requires cloudasset.assets.listResource)") 63 | generateGraphDB = flag.Bool("generateGraphDB", false, "Generate GraphDB output (.groovy)") 64 | mode = flag.String("mode", "default", "Interation mode: organization|project|default") 65 | projects = make([]*cloudresourcemanager.Project, 0) 66 | 67 | permissions = &Permissions{} 68 | roles = &Roles{} 69 | 70 | limiter *rate.Limiter 71 | ors *iam.RolesService 72 | ) 73 | 74 | //serviceusage.services.use 75 | func init() { 76 | } 77 | 78 | func main() { 79 | flag.Parse() 80 | 81 | ctx := context.Background() 82 | crmService, err := cloudresourcemanager.NewService(ctx) 83 | if err != nil { 84 | glog.Fatal(err) 85 | } 86 | 87 | iamService, err := iam.NewService(ctx) 88 | if err != nil { 89 | glog.Fatal(err) 90 | } 91 | ors = iam.NewRolesService(iamService) 92 | 93 | limiter = rate.NewLimiter(rate.Limit(maxRequestsPerSecond), burst) 94 | 95 | switch *mode { 96 | case "organization": 97 | glog.V(2).Infof("Getting Organization Roles/Permissions") 98 | 99 | if *organization == "" { 100 | glog.Error(errors.New("--organization value must be set")) 101 | return 102 | } 103 | oreq, err := crmService.Organizations.Get(fmt.Sprintf("organizations/%s", *organization)).Do() 104 | if err != nil { 105 | glog.Fatal(err) 106 | } 107 | glog.V(2).Infof(" Organization Name %s", oreq.Name) 108 | *organization = oreq.Name 109 | 110 | parent := fmt.Sprintf(*organization) 111 | 112 | // A) for Organization Roles 113 | err = generateMap(ctx, parent, "permissions_organization.json", "roles_organization.json") 114 | if err != nil { 115 | glog.Fatal(err) 116 | } 117 | 118 | // requires cloudasset.assets.listResource permissions 119 | if *useAssetInventoryAPI { 120 | assetClient, err := asset.NewClient(ctx) 121 | if err != nil { 122 | glog.Fatal(err) 123 | } 124 | 125 | assetType := "cloudresourcemanager.googleapis.com/Project" 126 | req := &assetpb.SearchAllResourcesRequest{ 127 | Scope: fmt.Sprintf("%s", *organization), 128 | AssetTypes: []string{assetType}, 129 | } 130 | 131 | // Call ListAssets API to get an asset iterator. 132 | it := assetClient.SearchAllResources(ctx, req) 133 | 134 | // Traverse and print the first 10 listed assets in response. 135 | for i := 0; i < 10; i++ { 136 | response, err := it.Next() 137 | if err == iterator.Done { 138 | break 139 | } 140 | if err != nil { 141 | glog.Fatal(err) 142 | } 143 | // TODO: populate the project []string{} with values.. 144 | glog.V(2).Infof(" Project Name %s", response.Project) 145 | } 146 | } 147 | 148 | case "project": 149 | // B) for Project Roles 150 | glog.V(2).Infof("Getting Project Roles/Permissions") 151 | // TODO: only get projects in the selected organization 152 | preq := crmService.Projects.List() 153 | if err := preq.Pages(ctx, func(page *cloudresourcemanager.ListProjectsResponse) error { 154 | for _, p := range page.Projects { 155 | if p.LifecycleState == "ACTIVE" { 156 | projects = append(projects, p) 157 | } 158 | } 159 | return nil 160 | }); err != nil { 161 | glog.Fatal(err) 162 | } 163 | for _, p := range projects { 164 | parent := fmt.Sprintf("projects/%s", p.ProjectId) 165 | err = generateMap(ctx, parent, "permissions_"+p.ProjectId+".json", "roles_"+p.ProjectId+".json") 166 | if err != nil { 167 | glog.Fatal(err) 168 | } 169 | } 170 | default: 171 | 172 | glog.V(2).Infof("Getting Default Roles/Permissions") 173 | parent := "" 174 | err = generateMap(ctx, parent, "permissions_default.json", "roles_default.json") 175 | if err != nil { 176 | glog.Fatal(err) 177 | } 178 | } 179 | if *generateGraphDB { 180 | glog.V(2).Infof("Generating GraphDB output") 181 | for _, p := range permissions.Permissions { 182 | 183 | entry := ` 184 | if (g.V().hasLabel('permission').has('name','%s').hasNext() == false) { 185 | g.addV('permission').property(label, 'permission').property('name', '%s').id().next() 186 | } 187 | ` 188 | entry = fmt.Sprintf(entry, p.Name, p.Name) 189 | fmt.Printf("%s", entry) 190 | } 191 | 192 | for _, r := range roles.Roles { 193 | 194 | rr := ` 195 | v2 = g.addV('role').property(label, 'role').property('name', '%s').property('title', '%s').property('description', '%s').property('stage', '%s').property('deleted', %t).next() 196 | ` 197 | rr = fmt.Sprintf(rr, r.Name, r.Role.Title, strings.Replace(r.Role.Description, "'", "\\'", -1), r.Role.Stage, r.Role.Deleted) 198 | fmt.Printf("%s", rr) 199 | for _, p := range r.IncludedPermissions { 200 | rc := ` 201 | v1 = g.V().hasLabel('permission').has('name', '%s').next() 202 | e1 = g.V(v1).addE('in').to(v2).next() 203 | ` 204 | rc = fmt.Sprintf(rc, p) 205 | 206 | fmt.Printf("%s", rc) 207 | } 208 | } 209 | } 210 | glog.V(2).Infof("done") 211 | 212 | } 213 | 214 | func generateMap(ctx context.Context, parent, permissionFileName, rolesFileName string) error { 215 | var wg sync.WaitGroup 216 | 217 | oireq := ors.List().Parent(parent) 218 | if err := oireq.Pages(ctx, func(page *iam.ListRolesResponse) error { 219 | for _, sa := range page.Roles { 220 | wg.Add(1) 221 | go func(ctx context.Context, wg *sync.WaitGroup, sa *iam.Role) { 222 | glog.V(20).Infof("%s\n", sa.Name) 223 | defer wg.Done() 224 | var err error 225 | if err := limiter.Wait(ctx); err != nil { 226 | glog.Fatal(err) 227 | } 228 | if ctx.Err() != nil { 229 | glog.Fatal(err) 230 | } 231 | rc, err := ors.Get(sa.Name).Do() 232 | if err != nil { 233 | glog.Fatal(err) 234 | } 235 | cr := &Role{ 236 | Name: sa.Name, 237 | Role: *sa, 238 | IncludedPermissions: rc.IncludedPermissions, 239 | } 240 | cmutex.Lock() 241 | _, ok := findRoles(roles.Roles, sa.Name) 242 | if !ok { 243 | glog.V(2).Infof(" Iterating Role %s", sa.Name) 244 | roles.Roles = append(roles.Roles, *cr) 245 | } 246 | cmutex.Unlock() 247 | 248 | for _, perm := range rc.IncludedPermissions { 249 | glog.V(2).Infof(" Appending Permission %s to Role %s", perm, sa.Name) 250 | i, ok := findPermission(permissions.Permissions, perm) 251 | 252 | if !ok { 253 | pmutex.Lock() 254 | permissions.Permissions = append(permissions.Permissions, Permission{ 255 | Name: perm, 256 | Roles: []string{sa.Name}, 257 | }) 258 | pmutex.Unlock() 259 | } else { 260 | pmutex.Lock() 261 | p := permissions.Permissions[i] 262 | _, ok := find(p.Roles, sa.Name) 263 | if !ok { 264 | p.Roles = append(p.Roles, sa.Name) 265 | permissions.Permissions[i] = p 266 | } 267 | pmutex.Unlock() 268 | } 269 | 270 | } 271 | }(ctx, &wg, sa) 272 | 273 | } 274 | return nil 275 | }); err != nil { 276 | return err 277 | } 278 | 279 | wg.Wait() 280 | var prettyJSON bytes.Buffer 281 | buf, err := json.Marshal(roles) 282 | if err != nil { 283 | return err 284 | } 285 | err = json.Indent(&prettyJSON, buf, "", "\t") 286 | if err != nil { 287 | return err 288 | } 289 | //glog.V(20).Infof(" Role %s\n", string(prettyJSON.Bytes())) 290 | buf, err = json.Marshal(permissions) 291 | if err != nil { 292 | return err 293 | } 294 | err = json.Indent(&prettyJSON, buf, "", "\t") 295 | if err != nil { 296 | return err 297 | } 298 | //glog.V(20).Infof(" Permissions %s\n", string(prettyJSON.Bytes())) 299 | 300 | pfile, _ := json.MarshalIndent(permissions, "", " ") 301 | 302 | err = ioutil.WriteFile(permissionFileName, pfile, 0644) 303 | if err != nil { 304 | return err 305 | } 306 | 307 | rfile, _ := json.MarshalIndent(roles, "", " ") 308 | 309 | err = ioutil.WriteFile(rolesFileName, rfile, 0644) 310 | if err != nil { 311 | return err 312 | } 313 | return nil 314 | 315 | } 316 | 317 | func find(slice []string, val string) (int, bool) { 318 | for i, item := range slice { 319 | if item == val { 320 | return i, true 321 | } 322 | } 323 | return -1, false 324 | } 325 | 326 | func findRoles(slice []Role, val string) (int, bool) { 327 | for i, item := range slice { 328 | if item.Name == val { 329 | return i, true 330 | } 331 | } 332 | return -1, false 333 | } 334 | 335 | func findPermission(slice []Permission, val string) (int, bool) { 336 | for i, item := range slice { 337 | if item.Name == val { 338 | return i, true 339 | } 340 | } 341 | return -1, false 342 | } 343 | -------------------------------------------------------------------------------- /map/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ## Roles/Permission Maps 4 | 5 | Simple application to enumerate all Google Cloud `Permissions->Roles` and `Roles->Permissions` to JSON. 6 | 7 | To use this, you must have `Organization Role Viewer` and `Organization Viewer` roles assigned to the current user or service account at the organization level. 8 | 9 | First find the organization ID number: 10 | 11 | ```bash 12 | $ gcloud organizations list 13 | DISPLAY_NAME ID DIRECTORY_CUSTOMER_ID 14 | esodemoapp2.com 673208786088 C023zw388 15 | ``` 16 | 17 | Then just specify that: 18 | 19 | ```bash 20 | go run main.go -v 20 -alsologtostderr --organization 673208786088 21 | ``` 22 | 23 | The output will be a series of JSON files that list out the custom roles for at the project and organization level. 24 | 25 | the files `roles_default.json` and `permissions_default.json` include all the roles/permissions in the organization. 26 | 27 | 28 | 29 | ```json 30 | $ cat roles_default.json | jq '.roles[] | select(.name=="projects/fabled-ray-104117/roles/SSHOSLoginRole")' 31 | { 32 | "name": "projects/fabled-ray-104117/roles/SSHOSLoginRole", 33 | "role": { 34 | "description": "Role to grant SSH OS Login", 35 | "etag": "BwW6RP6hDqA=", 36 | "name": "projects/fabled-ray-104117/roles/SSHOSLoginRole", 37 | "title": "sshOSLoginRole" 38 | }, 39 | "included_permissions": [ 40 | "compute.instances.osLogin", 41 | "compute.instances.setMetadata", 42 | "compute.instances.use" 43 | ] 44 | } 45 | ``` 46 | 47 | ```json 48 | $ cat permissions*.json | jq '.permissions[] | select(.name=="compute.instances.use")' 49 | { 50 | "name": "compute.instances.use", 51 | "roles": [ 52 | "projects/fabled-ray-104117/roles/SSHRole", 53 | "projects/fabled-ray-104117/roles/SSHOSLoginRole", 54 | "roles/compute.instanceAdmin.v1", 55 | "roles/dataproc.serviceAgent", 56 | "roles/cloudtpu.serviceAgent", 57 | "roles/compute.loadBalancerAdmin", 58 | "roles/compute.networkAdmin", 59 | "roles/composer.serviceAgent", 60 | "roles/compute.admin", 61 | "roles/compute.instanceAdmin", 62 | "roles/container.serviceAgent", 63 | "roles/appengineflex.serviceAgent", 64 | "roles/dataflow.serviceAgent", 65 | "roles/cloudmigration.inframanager", 66 | "roles/editor", 67 | "roles/genomics.serviceAgent", 68 | "roles/lifesciences.serviceAgent", 69 | "roles/notebooks.legacyAdmin", 70 | "roles/notebooks.serviceAgent", 71 | "roles/owner", 72 | "roles/vpcaccess.serviceAgent" 73 | ] 74 | } 75 | { 76 | "name": "compute.instances.use", 77 | "roles": [ 78 | "projects/fabled-ray-104117/roles/SSHRole", 79 | "projects/fabled-ray-104117/roles/SSHOSLoginRole" 80 | ] 81 | } 82 | ``` 83 | 84 | This API uses `google.golang.org/api/iam/v1` API which at currently does not enumerate Permissions but lists those permissions associated with a Role. 85 | That is, if a Role has permissions [a,b,c], they will be listed in the output. If a permission is _not_ associated with any role for any reason, it will not be included in the map. 86 | 87 | Note, the [PermissionService](https://pkg.go.dev/google.golang.org/api/iam/v1#PermissionsService) does not have an API to list all permissions by itself. 88 | 89 | ### For the really impatient 90 | 91 | The `example/` folder contains various files for the DEFAULT iam roles permissions as of `March,2021` 92 | 93 | * `permissions_default.json`: default permissions in an org 94 | * `roles_default.json`: default roles in an org 95 | * `graph.groovy.gz`: [groovy](http://groovy.apache.org/) graph representation of permissions<->roles 96 | * `graph.xml.gz`: [graphML](https://tinkerpop.apache.org/docs/current/reference/#graphml) graph representation of permissions<->roles 97 | * `graph.json.gz`: [graphSON](https://tinkerpop.apache.org/docs/current/reference/#graphson) graph representation of permissions<->roles 98 | 99 | ### BigQuery Exports 100 | 101 | This script is equivalent to running an export of [GCP Policy Export to ](https://cloud.google.com/asset-inventory/docs/analyzing-iam-policy-longrunning-bigquery) 102 | and then unnesting the included permissions. 103 | 104 | ```sql 105 | SELECT p, r.name 106 | FROM `gcpdentity-asset-export-1.asset_inventory.iam_googleapis_com_Role` r, 107 | UNNEST(r.resource.data.includedPermissions) p 108 | WHERE DATE(timestamp) = "2021-02-12" 109 | ``` 110 | 111 | ### Cloud Console 112 | 113 | You can use the cloud console to map the roles-permissions: 114 | 115 | ![images/permission_role.png](images/permission_role.png) 116 | 117 | ![images/role_permission.png](images/role_permission.png) 118 | 119 | 120 | ### Using Asset Inventory to iterate Projects/Organization 121 | 122 | If you want to iterate projects using asset-inventory API, assign the user `Cloud Asset Viewer` role at org level and the `serviceusage.services.use` _permission_ on the project that is configured with `gcloud config list`. Once that is done, specify `--useAssetInventoryAPI` 123 | 124 | ### GraphML 125 | 126 | If you want to display the `Roles` <-> `Permissions` as a graph, run the map application with `--generateGraphDB` option and redirect the output as such (remember to reduce the log level to 0) 127 | 128 | eg 129 | ```bash 130 | go run main.go -v 0 -alsologtostderr --organization 673208786098 --generateGraphDB > /tmp/graph.groovy 131 | ``` 132 | 133 | The output file will contain raw groovy command set which you can import into JanusGraph 134 | 135 | If you just want to see the default graph/map for roles-permissions (not including custom roles, just load the static file into [Cytoscape](https://cytoscape.org/)) 136 | 137 | The `--mode` switch in the command line will either 138 | - (default) iterate of the standard roles/permissions 139 | - `--mode=project`: iterate of project-level roles/permissions 140 | - `--mode=organization`: iterate over organization-level roles/permissions 141 | 142 | #### Install JanusGraph 143 | 144 | - Local 145 | Download and untar [JanusGraph](http://janusgraph.org/). I used version [janusgraph-0.3.0-hadoop2](https://github.com/JanusGraph/janusgraph/releases/tag/v0.3.0) 146 | 147 | * Start JanusGraph with defaults (Cassandra, ElasticSearch local) 148 | Note, you need [java8](https://docs.janusgraph.org/getting-started/installation/#local-installation) 149 | 150 | ```bash 151 | export JAVA_HOME=/path/to/jre1.8.0_211/ 152 | 153 | $ janusgraph-0.3.0-hadoop2/bin/janusgraph.sh start 154 | Forking Cassandra... 155 | Running `nodetool statusthrift`.. OK (returned exit status 0 and printed string "running"). 156 | Forking Elasticsearch... 157 | Connecting to Elasticsearch (127.0.0.1:9200)..... OK (connected to 127.0.0.1:9200). 158 | Forking Gremlin-Server... 159 | Connecting to Gremlin-Server (127.0.0.1:8182)..... OK (connected to 127.0.0.1:8182). 160 | Run gremlin.sh to connect. 161 | ``` 162 | 163 | * Connect via Gremlin 164 | 165 | - [gremlin-server](http://tinkerpop.apache.org/docs/current/reference/#gremlin-server) 166 | 167 | ```bash 168 | $ janusgraph-0.3.0-hadoop2/bin/gremlin.sh 169 | 170 | \,,,/ 171 | (o o) 172 | -----oOOo-(3)-oOOo----- 173 | SLF4J: Class path contains multiple SLF4J bindings. 174 | plugin activated: janusgraph.imports 175 | plugin activated: tinkerpop.server 176 | plugin activated: tinkerpop.gephi 177 | plugin activated: tinkerpop.utilities 178 | gremlin> 179 | ``` 180 | 181 | - Setup Gremlin local connection 182 | 183 | ``` 184 | :remote connect tinkerpop.server conf/remote.yaml session 185 | :remote console 186 | ``` 187 | 188 | Run Exporter 189 | 190 | ```bash 191 | go run main.go -v 0 -alsologtostderr --organization 673208786098 --generateGraphDB > /tmp/graph.groovy 192 | ``` 193 | 194 | Load output file 195 | 196 | ```groovy 197 | g.V().drop() 198 | g.E().drop() 199 | 200 | :load /tmp/graph.groovy 201 | ``` 202 | >> the load may take ~hr, right 203 | 204 | TODO: make it parallel, the groovy file creates all the permission vertices first...the role permission map could be done in a parallel... 205 | 206 | Once loaded into JanusGraph, use tinkerpop to query the graph or render it with an external tool like CytoScape 207 | 208 | - Outbound Edges from a Vertex: 209 | 210 | Which Roles include this permission: 211 | ```groovy 212 | gremlin> g.V().hasLabel('permission').has('name', 'accessapproval.requests.list').outE() 213 | ==>e[1ozr6-102z4-6c5-1z0zk][1683472-in->3313856] 214 | ==>e[1abk2-102z4-6c5-1z7a8][1683472-in->3322016] 215 | ==>e[1g3cy-102z4-6c5-1zwkg][1683472-in->3354784] 216 | ==>e[u58i-102z4-6c5-202rs][1683472-in->3362824] 217 | ==>e[uarm-102z4-6c5-21noo][1683472-in->3436584] 218 | ==>e[1pwxu-102z4-6c5-235fc][1683472-in->3506232] 219 | ==>e[1vchu-102z4-6c5-24ahc][1683472-in->3559440] 220 | ``` 221 | 222 | ```groovy 223 | gremlin> g.V().hasLabel('permission').has('name', 'accessapproval.requests.list').out().valueMap() 224 | ==>{deleted=[false], stage=[GA], name=[roles/iam.securityAdmin], description=[Security admin role, with permissions to get and set any IAM policy.], title=[Security Admin]} 225 | ==>{deleted=[false], stage=[GA], name=[roles/editor], description=[Edit access to all resources.], title=[Editor]} 226 | ==>{deleted=[false], stage=[GA], name=[roles/owner], description=[Full access to all resources.], title=[Owner]} 227 | ==>{deleted=[false], stage=[BETA], name=[roles/accessapproval.viewer], description=[Ability to view access approval requests and configuration], title=[Access Approval Viewer]} 228 | ==>{deleted=[false], stage=[BETA], name=[roles/accessapproval.approver], description=[Ability to view or act on access approval requests and view configuration], title=[Access Approval Approver]} 229 | ==>{deleted=[false], stage=[GA], name=[roles/iam.securityReviewer], description=[Security reviewer role, with permissions to get any IAM policy.], title=[Security Reviewer]} 230 | ==>{deleted=[false], stage=[GA], name=[roles/viewer], description=[Read access to all resources.], title=[Viewer]} 231 | ``` 232 | 233 | 234 | - Connected Vertices: 235 | 236 | Which permission are included in a ROle 237 | 238 | ```groovy 239 | gremlin> i=g.V().outE().hasLabel('in').inV().has('name','roles/accessapproval.viewer')[0].id() 240 | 241 | gremlin> g.V().hasLabel('permission').where(out().hasId(i)).valueMap() 242 | ==>{name=[resourcemanager.projects.list]} 243 | ==>{name=[resourcemanager.projects.get]} 244 | ==>{name=[accessapproval.requests.get]} 245 | ==>{name=[accessapproval.requests.list]} 246 | ==>{name=[accessapproval.settings.get]} 247 | ``` 248 | #### Load Graph to CytoScape 249 | 250 | 251 | For [Cytoscape](https://cytoscape.org/), export graph to GraphML file: 252 | 253 | ``` 254 | gremlin> sg = g.V().outE().subgraph('sg').cap('sg').next() 255 | ==>tinkergraph[vertices:4703 edges:34216] 256 | 257 | gremlin> sg.io(IoCore.graphml()).writeGraph("/tmp/mygraph.xml") 258 | ==>null 259 | ``` 260 | 261 | - Import GraphML to Cytoscape 262 | 263 | As file: 264 | 265 | ``` 266 | gsutil cp gs://iam-graph/graph_03102020.xml . 267 | ``` 268 | 269 | on Cytoscape, ```File->Import->Network->File```, Select ```GraphMLFile``` the ```/tmp/mygraph.xml``` 270 | 271 | 272 | As URL 273 | 274 | on Cytoscape, ```File->Import->Network->URL```, Use URL 275 | - [https://storage.googleapis.com/iam-graph/graph_03102020.xml](https://storage.googleapis.com/iam-graph/graph_03102020.xml) 276 | 277 | 278 | Upon import you should see the Cytoscape rendering: 279 | 280 | 281 | ![images/cytoscape_all.png](images/cytoscape_all.png) 282 | 283 | then ofcourse if you want to graph waldo and his neighbors 284 | 285 | ![images/waldo.png](images/waldo.png) 286 | 287 | yeah, thats the limit of how much useful stuff i know with cytoscape 288 | 289 | 290 | If you want to export the janusgraph to grapSON 291 | 292 | ```groovy 293 | sg = g.V().outE().subgraph('sg').cap('sg').next() 294 | file = new FileOutputStream("/tmp/graph.json") 295 | mapper = GraphSONMapper.build().addCustomModule(org.janusgraph.graphdb.tinkerpop.io.graphson.JanusGraphSONModuleV2d0.getInstance()).create() 296 | writer = GraphSONWriter.build().mapper(mapper).create() 297 | writer.writeGraph(file, sg) 298 | ``` 299 | 300 | you can find example defautl roles/permissions under the `map/example/` folder -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /query/README.md: -------------------------------------------------------------------------------- 1 | 2 | ## IAM Permission Verification 3 | 4 | Google Cloud IAM Troubleshooting scripts intended to provide several indicators of users permissions on GCP resources. 5 | 6 | * `inspect/query` 7 | - [checkEndUserPermissions](#checkEndUserPermissions) 8 | 9 | - Allows an end user to ask "of all the permissions this resource accepts, which ones do I have?" 10 | - Allows a domain administrator to _impersonate_ any user and inspect which permissions that user has on a resource. 11 | 12 | - [usePolicyTroubleshooter](#usePolicyTroubleshooter) 13 | 14 | - Use [IAM Policy Troubleshooter](https://cloud.google.com/iam/docs/troubleshooting-access) API to determine if the user has IAM access to a resource. 15 | 16 | - Display if [IAM Conditions](https://cloud.google.com/iam/docs/conditions-overview) are applicable. 17 | 18 | - Backtrack the [IAM Resource Hierarchy](https://cloud.google.com/iam/docs/resource-hierarchy-access-control) from the resource to root and display all the IAM Roles present at each node. (`TODO`: display subset of permissions at each node applicable to the target resource) 19 | 20 | - [useIAMPolicyRequest](#useIAMPolicyRequest) 21 | 22 | - Use [IAM Policy Analyzer](https://cloud.google.com/asset-inventory/docs/analyzing-iam-policy) to help determine if a given user has access to a resource through indirect capabilities: 23 | 24 | - Through nested or direct group memberships bound to the resource 25 | - Through [service account impersonation](https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials) where the service account has direct or indirect access. 26 | - Other mechanisms described [here](https://cloud.google.com/asset-inventory/docs/analyzing-iam-policy#overview) 27 | 28 | 29 | 30 | 31 | ## Setup 32 | 33 | The following utilities require various levels of privleged access to run and are described in the corresponding section 34 | 35 | Some scripts redirect the quota to a given project for consumption and is described in the appropriate setup scripts below. For more information see [serviceUsageConsumer](#serviceusageconsumer) 36 | 37 | Many of these scripts makes use of GCP Resource Names. For reference, see: 38 | 39 | * [Cloud Full resource names](https://cloud.google.com/iam/docs/full-resource-names) 40 | * [Cloud Asset Inventory Types](https://cloud.google.com/asset-inventory/docs/supported-asset-types#analyzable_asset_types) 41 | 42 | 43 | ## Inspect/Query 44 | 45 | #### checkEndUserPermissions 46 | 47 | This script can be used in two modes: 48 | 49 | * As a user: "_What permissions do I have on this resource?_" 50 | * As an administrator: "_what permissions does this user have on the resource?_" 51 | 52 | 53 | For the first mode, no additional permissions are required since its a type of "self-check" 54 | 55 | For the second, this necessarily requires the ability for the administrator to perform [Domain Wide Delegation](https://developers.google.com/admin-sdk/directory/v1/guides/delegation). This level of access basically allows you to impersonate any user and then see what permissions they have _as that user_. As far as GCP is concerned, the request for IAM permissions check comes as if it is from the end user. 56 | 57 | Notably, this level of access is rare but is left here as an option. 58 | 59 | Configuring the second mode requires a user to have domain-wide/administrator privileges and a service account enabled on the domain for Cloud Platform IAM Scope. See [Configure Domain Wide Delegation](#configure-domain-wide-delegation) 60 | 61 | 62 | - **Usage - As current user** 63 | 64 | Assume the user currently configured for [Application Default Credentials](https://cloud.google.com/docs/authentication/production) is the End User (`user4@esodemoapp2.com`) and wants to "see" what permissions he/she has on GCS Bucket `//storage.googleapis.com/projects/_/buckets/iam-deny-bucket` 65 | 66 | Running the following script as that user show 67 | 68 | 1. All the potential permissions this resource accepts 69 | 2. All the permissions this user currently has. 70 | 71 | Note that the second set is initially empty since this user does *NOT* have any access 72 | 73 | ```log 74 | $ go run main.go \ 75 | --checkResource="//storage.googleapis.com/projects/_/buckets/iam-deny-bucket" \ 76 | --printPermissionsOnResource \ 77 | -v 20 -alsologtostderr 78 | 79 | I0207 11:37:28.549307 456856 main.go:104] ================ QueryTestablePermissions with Resource ====================== 80 | I0207 11:37:28.723178 456856 main.go:127] ================ Getting Permissions 81 | I0207 11:37:28.723209 456856 main.go:141] Testable permissions on resource: 82 | I0207 11:37:28.723217 456856 main.go:143] resourcemanager.hierarchyNodes.createTagBinding 83 | I0207 11:37:28.723224 456856 main.go:143] resourcemanager.hierarchyNodes.deleteTagBinding 84 | I0207 11:37:28.723231 456856 main.go:143] resourcemanager.hierarchyNodes.listTagBindings 85 | I0207 11:37:28.723237 456856 main.go:143] resourcemanager.resourceTagBindings.create 86 | I0207 11:37:28.723251 456856 main.go:143] resourcemanager.resourceTagBindings.delete 87 | I0207 11:37:28.723260 456856 main.go:143] resourcemanager.resourceTagBindings.list 88 | I0207 11:37:28.723266 456856 main.go:143] storage.buckets.createTagBinding 89 | I0207 11:37:28.723275 456856 main.go:143] storage.buckets.delete 90 | I0207 11:37:28.723282 456856 main.go:143] storage.buckets.deleteTagBinding 91 | I0207 11:37:28.723289 456856 main.go:143] storage.buckets.get 92 | I0207 11:37:28.723299 456856 main.go:143] storage.buckets.getIamPolicy 93 | I0207 11:37:28.723306 456856 main.go:143] storage.buckets.listTagBindings 94 | I0207 11:37:28.723315 456856 main.go:143] storage.buckets.setIamPolicy 95 | I0207 11:37:28.723323 456856 main.go:143] storage.buckets.update 96 | I0207 11:37:28.723331 456856 main.go:143] storage.multipartUploads.abort 97 | I0207 11:37:28.723337 456856 main.go:143] storage.multipartUploads.create 98 | I0207 11:37:28.723352 456856 main.go:143] storage.multipartUploads.list 99 | I0207 11:37:28.723361 456856 main.go:143] storage.multipartUploads.listParts 100 | I0207 11:37:28.723369 456856 main.go:143] storage.objects.create 101 | I0207 11:37:28.723377 456856 main.go:143] storage.objects.delete 102 | I0207 11:37:28.723385 456856 main.go:143] storage.objects.get 103 | I0207 11:37:28.723393 456856 main.go:143] storage.objects.getIamPolicy 104 | I0207 11:37:28.723401 456856 main.go:143] storage.objects.list 105 | I0207 11:37:28.723408 456856 main.go:143] storage.objects.setIamPolicy 106 | I0207 11:37:28.723416 456856 main.go:143] storage.objects.update 107 | I0207 11:37:28.723613 456856 main.go:1204] ==== TestIAMPermissions as GCS Bucket Resource ==== 108 | I0207 11:37:28.837305 456856 main.go:1238] User permission on resource: 109 | ``` 110 | 111 | Now add in an IAM the `storageViewer` role 112 | 113 | ![images/a_gcs_viewer.png](images/a_gcs_viewer.png) 114 | 115 | and run the script again 116 | 117 | ```log 118 | $ go run main.go \ 119 | --checkResource="//storage.googleapis.com/projects/_/buckets/iam-deny-bucket" \ 120 | --printPermissionsOnResource \ 121 | -v 20 -alsologtostderr 122 | 123 | 124 | I0207 11:44:19.616210 457832 main.go:1204] ==== TestIAMPermissions as GCS Bucket Resource ==== 125 | I0207 11:44:19.970744 457832 main.go:1238] User permission on resource: 126 | I0207 11:44:19.970790 457832 main.go:1240] storage.objects.get 127 | I0207 11:44:19.970818 457832 main.go:1240] storage.objects.list 128 | ``` 129 | 130 | Note that now the user has *TWO* additional permissions show up. These are the permissions this user has from the field of potential permissions even applicable to this resource type. 131 | 132 | - **Usage - As Administrator** 133 | 134 | You can run this script as an administrator but to do this requires extensive the administrator to _impersonate an end user_ through domain delegation. 135 | 136 | 137 | For example, if an admistrator `securityadmin@esodemoapp2.com` has access to impersonate a service account `adminapi@fabled-ray-104117.iam.gserviceaccount.com` which itself has domain-delegation permissions, the the `securityadmin` can "see" the resource as the user: 138 | 139 | 140 | ```bash 141 | gcloud config set account securityadmin@esodemoapp2.com 142 | gcloud auth application-default login 143 | 144 | 145 | ## impersonate user:user4@esodemoapp2.com and check which permissions apply to resource as that user 146 | go run main.go \ 147 | --checkResource="//storage.googleapis.com/projects/_/buckets/iam-deny-bucket" \ 148 | --identity=user:user4@esodemoapp2.com \ 149 | --checkEndUserPermissions --printPermissionsOnResource \ 150 | --impersonateServiceAccount=adminapi@fabled-ray-104117.iam.gserviceaccount.com \ 151 | -v 20 -alsologtostderr 152 | 153 | I0207 12:09:10.051084 461691 main.go:1204] ==== TestIAMPermissions as GCS Bucket Resource ==== 154 | I0207 12:09:10.298606 461691 main.go:1238] User permission on resource: 155 | I0207 12:09:10.298649 461691 main.go:1240] storage.objects.get 156 | I0207 12:09:10.298708 461691 main.go:1240] storage.objects.list 157 | ``` 158 | 159 | The other resource types supported: 160 | 161 | ```golang 162 | const bigqueryTablesRegex untyped string = "//bigquery.googleapis.com/projects/(.+)/datasets/(.+)/tables/(.+)" 163 | const iamServiceAccountsRegex untyped string = "//iam.googleapis.com/projects/(.+)/serviceAccounts/(.+)" 164 | const serviceAccountsKeysRegex untyped string = "//iam.googleapis.com/projects/(.+)/serviceAccounts/(.+)/keys/(.+)" 165 | const iapAppEngineRegex untyped string = "//iap.googleapis.com/projects/(.+)/iap_web/appengine-(.+)/services/(.+)" 166 | const iapGCERegex untyped string = "//iap.googleapis.com/projects/(.+)/iap_web/compute/services/(.+)" 167 | const spannerInstances untyped string = "//spanner.googleapis.com/projects/(.+)/instances/(.+)" 168 | const storageBucketsRegex untyped string = "//storage.googleapis.com/projects/_/buckets/(.+)" 169 | const computeInstanceRegex untyped string = "//compute.googleapis.com/projects/(.+)/zones/(.+)/instances/(.+)$" 170 | const computeSubNetworksRegex untyped string = "//compute.googleapis.com/projects/(.+)/regions/(.+)/subnetworks/(.+)" 171 | const resourceManagerOrganizationRegex untyped string = "//cloudresourcemanager.googleapis.com/organizations/(.+)" 172 | const resourceManagerProjectsRegex untyped string = "//cloudresourcemanager.googleapis.com/projects/(.+)" 173 | const cloudRunRegex string = "//run.googleapis.com/projects/(.+)/locations/(.+)/services/(.+)" 174 | ``` 175 | 176 | ##### checkEndUserPermissions Caveats 177 | 178 | * Script will show if the user has direct or group-membership based access on the resource 179 | * Script _will not_ show 180 | - if the user has conditional access 181 | - has access through service account impersonation 182 | - has access through workload identity federation 183 | 184 | --- 185 | 186 | #### usePolicyTroubleshooter 187 | 188 | Subscript that uses the IAM Policy Troubleshooter API to show if the user has access to a resource or not and how it got that access. 189 | 190 | Once the user's apparent access is displayed, this script will attempt to print all the IAM roles in the resource hierarchy back to the org node. 191 | 192 | The reason to do this is to display the roles and (eventually; its still a TODO:), extract out all the IAM permissions contained in those roles and filter/display only those permissions that apply to this resource (as provided by the `checkEndUserPermissions` subscript.) 193 | 194 | Anyway, this requires the user who is running this script to have (preferably), have the following organizational level permissions: 195 | 196 | `Cloud Asset Viewer`, `Security Reviewer` and the subset of these `ready-only` permission at the org level: 197 | 198 | ```bash 199 | orgpolicy.constraints.list 200 | orgpolicy.policies.list 201 | orgpolicy.policy.get 202 | resourcemanager.folders.get 203 | resourcemanager.folders.getIamPolicy 204 | resourcemanager.folders.list 205 | resourcemanager.organizations.get 206 | resourcemanager.organizations.getIamPolicy 207 | resourcemanager.projects.get 208 | resourcemanager.projects.getIamPolicy 209 | resourcemanager.projects.list 210 | #iam.denypolicies.get 211 | #iam.denypolicies.list 212 | ``` 213 | 214 | Note, the default role `Organization Administrator` has the `set IAMPolicy` permissions. The recommendation is to create a custom role with just the permissions set above: 215 | 216 | 217 | ![images/org_custom_role.png](images/org_custom_role.png) 218 | 219 | ![images/org_iam.png](images/org_iam.png) 220 | 221 | 222 | - Usage 223 | 224 | To use this script, specify the appropriate resource name and permission to check. 225 | 226 | for reference on the format for the `checkResource` and `permissions`, see 227 | 228 | * [Permissions Reference](https://cloud.google.com/iam/docs/permissions-reference) 229 | * [Resource Names](https://cloud.google.com/apis/design/resource_names) 230 | 231 | 232 | For example, if you want to check if an end-user `user4@esodemoapp2.com` has the `storage.objects.get` permission on a GCS Bucket `iam-deny-bucket` and you know that the bucket is in project `projects/cicp-oidc`, then issue the command switches: 233 | 234 | ```log 235 | $ go run main.go \ 236 | --checkResource="//storage.googleapis.com/projects/_/buckets/iam-deny-bucket" \ 237 | --permissionToCheck=storage.objects.get \ 238 | --identity="user:user4@esodemoapp2.com" \ 239 | --scope="projects/cicp-oidc" \ 240 | --usePolicyTroubleshooter \ 241 | --projectID=fabled-ray-104117 \ 242 | -v 10 -alsologtostderr 243 | 244 | 245 | I0207 12:20:16.054049 464112 main.go:369] Getting PolicyTroubleshooter 246 | I0207 12:20:17.082121 464112 main.go:403] User's AccessState GRANTED 247 | I0207 12:20:17.082234 464112 main.go:407] User's AccessState granted at //storage.googleapis.com/projects/_/buckets/iam-deny-bucket 248 | I0207 12:20:17.082283 464112 main.go:413] user has binding with permission via roles roles/storage.objectViewer 249 | I0207 12:20:17.082327 464112 main.go:414] through membership map[user:user4@esodemoapp2.com:membership:MEMBERSHIP_INCLUDED relevance:HIGH] 250 | 251 | 252 | I0207 12:20:17.082420 464112 main.go:424] ================ Determining Hierarchy for resource //storage.googleapis.com/projects/_/buckets/iam-deny-bucket 253 | I0207 12:20:17.082437 464112 main.go:438] Getting ScopedPermission for resource [//storage.googleapis.com/projects/_/buckets/iam-deny-bucket] in scope [projects/cicp-oidc] 254 | I0207 12:20:17.082697 464112 main.go:570] ==== Scoped Resource is GCS Bucket ==== iam-deny-bucket 255 | I0207 12:20:17.572652 464112 main.go:593] Roles ==== roles/storage.legacyBucketOwner 256 | I0207 12:20:17.572795 464112 main.go:593] Roles ==== roles/storage.legacyBucketReader 257 | I0207 12:20:17.572873 464112 main.go:593] Roles ==== roles/storage.objectViewer 258 | I0207 12:20:17.573197 464112 main.go:817] SearchingAssets of type [storage.googleapis.com/Bucket] with query [name:iam-deny-bucket] 259 | I0207 12:20:18.111847 464112 main.go:875] Ancestor: [project/cicp-oidc] 260 | I0207 12:20:18.111958 464112 main.go:879] Project: [cicp-oidc] 261 | I0207 12:20:18.352594 464112 main.go:890] Policy Binding roles/cloudasset.viewer 262 | I0207 12:20:18.352723 464112 main.go:890] Policy Binding roles/cloudfunctions.serviceAgent 263 | I0207 12:20:18.352809 464112 main.go:890] Policy Binding roles/compute.serviceAgent 264 | I0207 12:20:18.352892 464112 main.go:890] Policy Binding roles/editor 265 | I0207 12:20:18.352972 464112 main.go:890] Policy Binding roles/firebase.managementServiceAgent 266 | I0207 12:20:18.353055 464112 main.go:890] Policy Binding roles/firebase.sdkAdminServiceAgent 267 | I0207 12:20:18.353135 464112 main.go:890] Policy Binding roles/firebaserules.system 268 | I0207 12:20:18.353215 464112 main.go:890] Policy Binding roles/firestore.serviceAgent 269 | I0207 12:20:18.353296 464112 main.go:890] Policy Binding roles/iam.securityAdmin 270 | I0207 12:20:18.353377 464112 main.go:890] Policy Binding roles/iam.serviceAccountTokenCreator 271 | I0207 12:20:18.353457 464112 main.go:890] Policy Binding roles/owner 272 | I0207 12:20:18.353538 464112 main.go:890] Policy Binding roles/storage.objectViewer 273 | I0207 12:20:18.353613 464112 main.go:875] Ancestor: [folder/750467892309] 274 | I0207 12:20:18.353690 464112 main.go:895] Folder: [750467892309] 275 | I0207 12:20:18.659502 464112 main.go:905] Policy Binding roles/resourcemanager.folderAdmin 276 | I0207 12:20:18.659634 464112 main.go:905] Policy Binding roles/resourcemanager.folderEditor 277 | I0207 12:20:18.659713 464112 main.go:875] Ancestor: [organization/673208786098] 278 | I0207 12:20:18.659790 464112 main.go:911] Organization: [673208786098] 279 | I0207 12:20:18.880545 464112 main.go:921] Policy Binding organizations/673208786098/roles/CustomOrganizationAdministrato 280 | I0207 12:20:18.880680 464112 main.go:921] Policy Binding roles/accesscontextmanager.gcpAccessAdmin 281 | I0207 12:20:18.880771 464112 main.go:921] Policy Binding roles/accesscontextmanager.policyAdmin 282 | I0207 12:20:18.880852 464112 main.go:921] Policy Binding roles/accesscontextmanager.policyEditor 283 | I0207 12:20:18.880933 464112 main.go:921] Policy Binding roles/bigquery.jobUser 284 | I0207 12:20:18.881036 464112 main.go:921] Policy Binding roles/billing.admin 285 | I0207 12:20:18.881117 464112 main.go:921] Policy Binding roles/cloudasset.viewer 286 | I0207 12:20:18.881198 464112 main.go:921] Policy Binding roles/cloudfunctions.serviceAgent 287 | I0207 12:20:18.881284 464112 main.go:921] Policy Binding roles/iam.denyAdmin 288 | I0207 12:20:18.881365 464112 main.go:921] Policy Binding roles/iam.organizationRoleViewer 289 | I0207 12:20:18.881444 464112 main.go:921] Policy Binding roles/iam.securityReviewer 290 | I0207 12:20:18.881523 464112 main.go:921] Policy Binding roles/monitoring.viewer 291 | I0207 12:20:18.881603 464112 main.go:921] Policy Binding roles/orgpolicy.policyAdmin 292 | I0207 12:20:18.881681 464112 main.go:921] Policy Binding roles/orgpolicy.policyViewer 293 | I0207 12:20:18.881761 464112 main.go:921] Policy Binding roles/owner 294 | I0207 12:20:18.881840 464112 main.go:921] Policy Binding roles/resourcemanager.folderAdmin 295 | I0207 12:20:18.881919 464112 main.go:921] Policy Binding roles/resourcemanager.folderCreator 296 | I0207 12:20:18.882000 464112 main.go:921] Policy Binding roles/resourcemanager.folderEditor 297 | I0207 12:20:18.882079 464112 main.go:921] Policy Binding roles/resourcemanager.folderMover 298 | I0207 12:20:18.882172 464112 main.go:921] Policy Binding roles/resourcemanager.folderViewer 299 | I0207 12:20:18.882242 464112 main.go:921] Policy Binding roles/resourcemanager.organizationAdmin 300 | I0207 12:20:18.882310 464112 main.go:921] Policy Binding roles/resourcemanager.organizationViewer 301 | I0207 12:20:18.882383 464112 main.go:921] Policy Binding roles/resourcemanager.projectCreator 302 | I0207 12:20:18.882452 464112 main.go:921] Policy Binding roles/resourcemanager.projectIamAdmin 303 | I0207 12:20:18.882520 464112 main.go:921] Policy Binding roles/securitycenter.serviceAgent 304 | I0207 12:20:18.882590 464112 main.go:921] Policy Binding roles/serviceusage.serviceUsageAdmin 305 | I0207 12:20:18.882659 464112 main.go:921] Policy Binding roles/serviceusage.serviceUsageConsumer 306 | ``` 307 | 308 | The output here shows that 309 | 310 | * User has access to this resource 311 | 312 | ```log 313 | I0207 12:20:17.082121 464112 main.go:403] User's AccessState GRANTED 314 | I0207 12:20:17.082234 464112 main.go:407] User's AccessState granted at //storage.googleapis.com/projects/_/buckets/iam-deny-bucket 315 | I0207 12:20:17.082283 464112 main.go:413] user has binding with permission via roles roles/storage.objectViewer 316 | I0207 12:20:17.082327 464112 main.go:414] through membership map[user:user4@esodemoapp2.com:membership:MEMBERSHIP_INCLUDED relevance:HIGH] 317 | ``` 318 | 319 | while the rest of the script "walks back" the IAM tree to the root and displays the IAM role bindingsat each node. Again, a TODO for me is to print the subset of permissions applicable and any conditions that may exist in those role bindings 320 | 321 | There are a few other resource types supported for this utility: 322 | 323 | 324 | - `Organization` 325 | 326 | ```bash 327 | --checkResource="//cloudresourcemanager.googleapis.com/organizations/673208786098" 328 | --permissionToCheck=storage.objects.get 329 | ``` 330 | 331 | - `Folder` 332 | 333 | ```bash 334 | --checkResource="//cloudresourcemanager.googleapis.com/folders/750467892309" 335 | --permissionToCheck=storage.objects.get --identity="user:user4@esodemoapp2.com" 336 | ``` 337 | 338 | - `Project` 339 | 340 | ```bash 341 | --checkResource="//cloudresourcemanager.googleapis.com/projects/fabled-ray-104117" 342 | --permissionToCheck=iam.roles.list 343 | ``` 344 | 345 | - `BigQuery` 346 | 347 | ```bash 348 | ## Table 349 | --checkResource="//bigquery.googleapis.com/projects/fabled-ray-104117/datasets/test/tables/person" 350 | --permissionToCheck=bigquery.tables.get 351 | 352 | 353 | ## Dataset 354 | --checkResource="//bigquery.googleapis.com/projects/fabled-ray-104117/datasets/test" 355 | --permissionToCheck=bigquery.datasets.get 356 | ``` 357 | 358 | TODO: not working "message": "Internal error encountered." 359 | 360 | - `ServiceAccount` 361 | 362 | ```bash 363 | --checkResource="//iam.googleapis.com/projects/fabled-ray-104117/serviceAccounts/schedulerunner@fabled-ray-104117.iam.gserviceaccount.com" --permissionToCheck=iam.serviceAccounts.get 364 | ``` 365 | 366 | - `IAP` 367 | 368 | ```bash 369 | ## AppEngine 370 | --checkResource="//iap.googleapis.com/projects/248066739582/iap_web/appengine-fabled-ray-104117/services/default" 371 | --permissionToCheck=iap.webServiceVersions.accessViaIAP 372 | 373 | ## GCE Backend Service 374 | --checkResource="//iap.googleapis.com/projects/248066739582/iap_web/compute/services/ngin-bs" 375 | --permissionToCheck=iap.webServiceVersions.accessViaIAP 376 | ``` 377 | 378 | - `GCE Instance` 379 | 380 | ```bash 381 | --checkResource="//compute.googleapis.com/projects/fabled-ray-104117/zones/us-central1-a/instances/instance-1" 382 | --permissionToCheck=compute.instances.get --identity="user:user4@esodemoapp2.com" 383 | ``` 384 | 385 | - `Cloud Run` 386 | 387 | ```bash 388 | --checkResource="//run.googleapis.com/projects/fabled-ray-104117/locations/us-central1/services/myapp" 389 | --permissionToCheck=compute.instances.get --identity="user:user4@esodemoapp2.com" 390 | ``` 391 | 392 | --- 393 | 394 | #### useIAMPolicyRequest 395 | 396 | Script the IAM Policy API to fully explore the direct and indirect permissions that a given user has on a resource. 397 | 398 | The way this script works is by issuing an IAM Analysis query with all the flags set to try an get a complete picture. 399 | 400 | API call looks like this: 401 | 402 | ```golang 403 | req := &assetpb.AnalyzeIamPolicyLongrunningRequest{ 404 | AnalysisQuery: &assetpb.IamPolicyAnalysisQuery{ 405 | Scope: *scope, 406 | ResourceSelector: &assetpb.IamPolicyAnalysisQuery_ResourceSelector{ 407 | FullResourceName: *checkResource, 408 | }, 409 | IdentitySelector: &assetpb.IamPolicyAnalysisQuery_IdentitySelector{ 410 | Identity: *identity, 411 | }, 412 | Options: &assetpb.IamPolicyAnalysisQuery_Options{ 413 | ExpandGroups: true, 414 | OutputGroupEdges: true, 415 | ExpandResources: true, 416 | ExpandRoles: true, 417 | OutputResourceEdges: true, 418 | AnalyzeServiceAccountImpersonation: *enableImpersonatedCheck, 419 | }, 420 | }, 421 | OutputConfig: &assetpb.IamPolicyAnalysisOutputConfig{ 422 | Destination: &assetpb.IamPolicyAnalysisOutputConfig_GcsDestination_{ 423 | GcsDestination: &assetpb.IamPolicyAnalysisOutputConfig_GcsDestination{ 424 | Uri: fmt.Sprintf("%s/%s", *gcsDestinationForLongRunningAnalysis, fileName), 425 | }, 426 | }, 427 | }, 428 | } 429 | ``` 430 | 431 | Note the `OutputConfig` is a bit odd: it writes the output of the analysis to a GCS bucket. At the moment, this API only supports writing the output to a gcs file or to BQ. (Ideally, it should return the full set through a long-running operation result directly to the client). As a workaround, this script mimics the LRO response output by asking the API to write to a GCS file and then reading that file to parse out the response (i know, crappy but its the only way currently). 432 | 433 | Since GCS access is now in the picture, it'll help explain the bucket creation and permission steps below. 434 | 435 | 436 | As for permission required to run this query: `Cloud Asset Viewer`, `Security Reviewer` and the subset of these `ready-only` permission at the org level as described in the [usePolicyTroubleshooter](#usePolicyTroubleshooter) section is required 437 | 438 | The user (`securityadmin@`) running the script must have [ServiceUsageConsumer](#ServiceUsageConsumer) on the project specified in the `--projectID` parameter 439 | 440 | The user (`securityadmin@`) running the script must have read/write permission on a GCS 441 | 442 | 443 | In the following, the bucket and service usage permissions are on quotaProject `fabled-ray-104117` 444 | ```bash 445 | ## Create bucket 446 | gsutil mb gs://fabled-ray-104117-lro 447 | 448 | # add permissions 449 | gsutil iam ch user:securityadmin@esodemoapp2.com:objectAdmin gs://fabled-ray-104117-lro 450 | 451 | ## init user running script 452 | gcloud config set account securityadmin@esodemoapp2.com 453 | gcloud auth application-default login 454 | gcloud config set project fabled-ray-104117 455 | ``` 456 | 457 | ##### Usage 458 | 459 | The following attempts to see if the user `user4@esodemoapp2.com` has access to `//storage.googleapis.com/projects/_/buckets/iam-deny-bucket` and where the query is scoped (either project, folder or organization level) 460 | 461 | >> note, if you omit `enableImpersonatedCheck`, the output will not be written to the the GCS bucket and will NOT include information about any potential service-account impersonation based access. 462 | 463 | You must specify the `--scope=` variable which defines the search field (e.g Project: `--scope="projects/cicp-oidc"`, Folders: `--scope="folders/750467892309"`, Organization: `--scope="organizations/673208786098"`). 464 | 465 | You can specify any supported [Full resource names](https://cloud.google.com/iam/docs/full-resource-names). 466 | 467 | - User without access: 468 | 469 | (using project scoped) 470 | 471 | ```log 472 | $ go run main.go \ 473 | --checkResource="//storage.googleapis.com/projects/_/buckets/iam-deny-bucket" \ 474 | --identity="user:user4@esodemoapp2.com" \ 475 | --scope="projects/cicp-oidc" \ 476 | --useIAMPolicyRequest \ 477 | --projectID=fabled-ray-104117 \ 478 | --enableImpersonatedCheck \ 479 | --gcsDestinationForLongRunningAnalysis=gs://fabled-ray-104117-lro \ 480 | -v 20 -alsologtostderr 481 | 482 | I0207 13:37:44.212252 477325 main.go:202] Getting AnalyzeIamPolicyRequest 483 | I0207 13:37:45.595553 477325 main.go:317] Result written to gs://fabled-ray-104117-lro/20220207183744 484 | ``` 485 | 486 | ##### User with direct access 487 | 488 | * `user4` has an IAM binding directly on `iam-deny-bucket` 489 | 490 | ```log 491 | go run main.go --checkResource="//storage.googleapis.com/projects/_/buckets/iam-deny-bucket" \ 492 | --identity="user:user4@esodemoapp2.com" --scope="projects/cicp-oidc" \ 493 | --useIAMPolicyRequest \ 494 | --projectID=fabled-ray-104117 \ 495 | --enableImpersonatedCheck \ 496 | --gcsDestinationForLongRunningAnalysis=gs://fabled-ray-104117-bucket \ 497 | -v 20 -alsologtostderr 498 | 499 | 500 | I0207 13:59:51.972794 481047 main.go:202] Getting AnalyzeIamPolicyRequest 501 | I0207 13:59:53.659686 481047 main.go:316] Result written to gs://fabled-ray-104117-lro/20220207185951 502 | I0207 13:59:54.048486 481047 main.go:357] Parsed AnalyzeIamPolicyResponse from gs://fabled-ray-104117-lro/20220207185951 503 | I0207 13:59:54.048571 481047 main.go:362] user:user4@esodemoapp2.com has access to resource [full_resource_name:"//storage.googleapis.com/iam-deny-bucket"] 504 | I0207 13:59:54.048671 481047 main.go:363] with capability [permission:"storage.objects.get" role:"roles/storage.objectViewer" permission:"storage.objects.list"] 505 | I0207 13:59:54.048755 481047 main.go:364] from node [//storage.googleapis.com/iam-deny-bucket] 506 | I0207 13:59:54.048803 481047 main.go:372] user is directly included in the role binding 507 | ``` 508 | 509 | ##### Indirect: Groups binding to Project 510 | 511 | * `user4` is member of `group4_7@` 512 | * `group4_7@` has direct access to `iam-deny-bucket` through binding at Project level 513 | 514 | ```log 515 | go run main.go --checkResource="//storage.googleapis.com/projects/_/buckets/iam-deny-bucket" \ 516 | --identity="user:user4@esodemoapp2.com" --scope="projects/cicp-oidc" \ 517 | --useIAMPolicyRequest \ 518 | --projectID=fabled-ray-104117 \ 519 | --enableImpersonatedCheck \ 520 | --gcsDestinationForLongRunningAnalysis=gs://fabled-ray-104117-bucket \ 521 | -v 20 -alsologtostderr 522 | 523 | I0207 15:08:38.056245 491577 main.go:202] Getting AnalyzeIamPolicyRequest 524 | I0207 15:08:40.567676 491577 main.go:316] Result written to gs://fabled-ray-104117-bucket/20220207200838 525 | I0207 15:08:40.743451 491577 main.go:357] Parsed AnalyzeIamPolicyResponse from gs://fabled-ray-104117-bucket/20220207200838 526 | I0207 15:08:40.743522 491577 main.go:362] user:user4@esodemoapp2.com has access to resource [full_resource_name:"//storage.googleapis.com/iam-deny-bucket"] 527 | I0207 15:08:40.743603 491577 main.go:363] with capability [permission:"storage.objects.get" role:"roles/storage.objectViewer" permission:"storage.objects.list"] 528 | I0207 15:08:40.743668 491577 main.go:364] from node [//storage.googleapis.com/iam-deny-bucket] 529 | I0207 15:08:40.743713 491577 main.go:374] user is included in the role binding through a group hierarchy: [user:user4@esodemoapp2.com --> group:group4_7@esodemoapp2.com ] 530 | ``` 531 | 532 | ##### Indirect: Groups binding to Folder 533 | 534 | * `user4` is member of `group4_7@` 535 | * `group4_7@` has direct access to `iam-deny-bucket` through binding at Folder level 536 | 537 | ```log 538 | go run main.go --checkResource="//storage.googleapis.com/projects/_/buckets/iam-deny-bucket" \ 539 | --identity="user:user4@esodemoapp2.com" --scope="folders/750467892309" \ 540 | --useIAMPolicyRequest \ 541 | --projectID=fabled-ray-104117 \ 542 | --enableImpersonatedCheck \ 543 | --gcsDestinationForLongRunningAnalysis=gs://fabled-ray-104117-bucket \ 544 | -v 20 -alsologtostderr 545 | 546 | I0207 15:13:34.350153 492005 main.go:202] Getting AnalyzeIamPolicyRequest 547 | I0207 15:13:35.656361 492005 main.go:316] Result written to gs://fabled-ray-104117-bucket/20220207201334 548 | I0207 15:13:36.053829 492005 main.go:357] Parsed AnalyzeIamPolicyResponse from gs://fabled-ray-104117-bucket/20220207201334 549 | I0207 15:13:36.053907 492005 main.go:362] user:user4@esodemoapp2.com has access to resource [full_resource_name:"//storage.googleapis.com/iam-deny-bucket"] 550 | I0207 15:13:36.053994 492005 main.go:363] with capability [permission:"storage.objects.get" role:"roles/storage.objectViewer" permission:"storage.objects.list"] 551 | I0207 15:13:36.054068 492005 main.go:364] from node [//cloudresourcemanager.googleapis.com/folders/750467892309] 552 | I0207 15:13:36.054120 492005 main.go:374] user is included in the role binding through a group hierarchy: [user:user4@esodemoapp2.com --> group:group4_7@esodemoapp2.com ] 553 | ``` 554 | 555 | Note the differences between the command and results between the Folder and Project level binding. 556 | 557 | * the scope is set to `--scope="folders/750467892309"` 558 | * output shows the node where the binding applies: `from node [//cloudresourcemanager.googleapis.com/folders/750467892309]` 559 | In the case for the folder, the binding is at that level 560 | 561 | 562 | ##### Indirect: Groups of Groups 563 | 564 | * `user4` is member of `group4_7@` 565 | * `group4_7@` is member of `group8_10@` 566 | 567 | * `group8_10@` has direct access to `iam-deny-bucket` 568 | 569 | 570 | ```log 571 | go run main.go --checkResource="//storage.googleapis.com/projects/_/buckets/iam-deny-bucket" \ 572 | --identity="user:user4@esodemoapp2.com" --scope="folders/750467892309" \ 573 | --useIAMPolicyRequest \ 574 | --projectID=fabled-ray-104117 \ 575 | --enableImpersonatedCheck \ 576 | --gcsDestinationForLongRunningAnalysis=gs://fabled-ray-104117-bucket \ 577 | -v 20 -alsologtostderr 578 | 579 | I0207 15:16:41.061359 492292 main.go:202] Getting AnalyzeIamPolicyRequest 580 | I0207 15:16:43.546467 492292 main.go:316] Result written to gs://fabled-ray-104117-bucket/20220207201641 581 | I0207 15:16:43.746936 492292 main.go:357] Parsed AnalyzeIamPolicyResponse from gs://fabled-ray-104117-bucket/20220207201641 582 | I0207 15:16:43.747002 492292 main.go:362] user:user4@esodemoapp2.com has access to resource [full_resource_name:"//storage.googleapis.com/iam-deny-bucket"] 583 | I0207 15:16:43.747074 492292 main.go:363] with capability [permission:"storage.objects.get" role:"roles/storage.objectViewer" permission:"storage.objects.list"] 584 | I0207 15:16:43.747131 492292 main.go:364] from node [//storage.googleapis.com/iam-deny-bucket] 585 | I0207 15:16:43.747172 492292 main.go:374] user is included in the role binding through a group hierarchy: [user:user4@esodemoapp2.com --> group:group4_7@esodemoapp2.com --> group:group8_10@esodemoapp2.com ] 586 | ``` 587 | 588 | Note the chained output: 589 | 590 | ``` 591 | user is included in the role binding through a group hierarchy: [user:user4@esodemoapp2.com --> group:group4_7@esodemoapp2.com --> group:group8_10@esodemoapp2.com ] 592 | ``` 593 | 594 | ##### Indirect: Impersonation 595 | 596 | * `user4` can impersonate `impersonate@` 597 | * `impersonate@` has direct access to `iam-deny-bucket` 598 | 599 | ```log 600 | go run main.go --checkResource="//storage.googleapis.com/projects/_/buckets/iam-deny-bucket" \ 601 | --identity="user:user4@esodemoapp2.com" --scope="projects/cicp-oidc" \ 602 | --useIAMPolicyRequest \ 603 | --projectID=fabled-ray-104117 \ 604 | --enableImpersonatedCheck \ 605 | --gcsDestinationForLongRunningAnalysis=gs://fabled-ray-104117-bucket \ 606 | -v 20 -alsologtostderr 607 | 608 | I0207 14:53:34.848030 489225 main.go:202] Getting AnalyzeIamPolicyRequest 609 | I0207 14:53:37.377074 489225 main.go:316] Result written to gs://fabled-ray-104117-bucket/20220207195334 610 | I0207 14:53:37.769406 489225 main.go:357] Parsed AnalyzeIamPolicyResponse from gs://fabled-ray-104117-bucket/20220207195334 611 | I0207 14:53:37.769459 489225 main.go:995] user:user4@esodemoapp2.com has iam permissions roles/iam.serviceAccountTokenCreator on [//iam.googleapis.com/projects/cicp-oidc/serviceAccounts/impersonate@cicp-oidc.iam.gserviceaccount.com] 612 | I0207 14:53:37.769585 489225 main.go:1002] user:user4@esodemoapp2.com can impersonate impersonate@cicp-oidc.iam.gserviceaccount.com 613 | I0207 14:53:37.769613 489225 main.go:995] serviceAccount:impersonate@cicp-oidc.iam.gserviceaccount.com has iam permissions roles/storage.objectViewer on [//storage.googleapis.com/iam-deny-bucket] 614 | ``` 615 | 616 | Note that the above describes the impersonation capability on a given service account and the fact that the specific account has access to a resource. 617 | 618 | 619 | ##### Indirect: Impersonation and Groups 620 | 621 | 622 | * `user4` can impersonate `impersonate@` 623 | * `impersonate@` is a member of `group4_7@` 624 | * `group4_7@` has direct access to `iam-deny-bucket` 625 | 626 | 627 | ```log 628 | go run main.go --checkResource="//storage.googleapis.com/projects/_/buckets/iam-deny-bucket" \ 629 | --identity="user:user4@esodemoapp2.com" --scope="projects/cicp-oidc" \ 630 | --useIAMPolicyRequest \ 631 | --projectID=fabled-ray-104117 \ 632 | --enableImpersonatedCheck \ 633 | --gcsDestinationForLongRunningAnalysis=gs://fabled-ray-104117-bucket \ 634 | -v 20 -alsologtostderr 635 | 636 | 637 | I0207 15:02:28.835624 490310 main.go:202] Getting AnalyzeIamPolicyRequest 638 | I0207 15:02:31.378812 490310 main.go:316] Result written to gs://fabled-ray-104117-bucket/20220207200228 639 | I0207 15:02:31.669787 490310 main.go:357] Parsed AnalyzeIamPolicyResponse from gs://fabled-ray-104117-bucket/20220207200228 640 | I0207 15:02:31.669825 490310 main.go:995] user:user4@esodemoapp2.com has iam permissions roles/iam.serviceAccountTokenCreator on [//iam.googleapis.com/projects/cicp-oidc/serviceAccounts/impersonate@cicp-oidc.iam.gserviceaccount.com] 641 | I0207 15:02:31.669904 490310 main.go:1002] user:user4@esodemoapp2.com can impersonate impersonate@cicp-oidc.iam.gserviceaccount.com 642 | I0207 15:02:31.669919 490310 main.go:995] serviceAccount:impersonate@cicp-oidc.iam.gserviceaccount.com has iam permissions roles/storage.objectViewer on [//storage.googleapis.com/iam-deny-bucket] 643 | ``` 644 | -------------------------------------------------------------------------------- /map/go.sum: -------------------------------------------------------------------------------- 1 | cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= 2 | cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= 3 | cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU= 4 | cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU= 5 | cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY= 6 | cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc= 7 | cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0= 8 | cloud.google.com/go v0.50.0/go.mod h1:r9sluTvynVuxRIOHXQEHMFffphuXHOMZMycpNR5e6To= 9 | cloud.google.com/go v0.52.0/go.mod h1:pXajvRH/6o3+F9jDHZWQ5PbGhn+o8w9qiu/CffaVdO4= 10 | cloud.google.com/go v0.53.0/go.mod h1:fp/UouUEsRkN6ryDKNW/Upv/JBKnv6WDthjR6+vze6M= 11 | cloud.google.com/go v0.54.0/go.mod h1:1rq2OEkV3YMf6n/9ZvGWI3GWw0VoqH/1x2nd8Is/bPc= 12 | cloud.google.com/go v0.56.0/go.mod h1:jr7tqZxxKOVYizybht9+26Z/gUq7tiRzu+ACVAMbKVk= 13 | cloud.google.com/go v0.57.0/go.mod h1:oXiQ6Rzq3RAkkY7N6t3TcE6jE+CIBBbA36lwQ1JyzZs= 14 | cloud.google.com/go v0.62.0/go.mod h1:jmCYTdRCQuc1PHIIJ/maLInMho30T/Y0M4hTdTShOYc= 15 | cloud.google.com/go v0.65.0/go.mod h1:O5N8zS7uWy9vkA9vayVHs65eM1ubvY4h553ofrNHObY= 16 | cloud.google.com/go v0.72.0/go.mod h1:M+5Vjvlc2wnp6tjzE102Dw08nGShTscUx2nZMufOKPI= 17 | cloud.google.com/go v0.74.0 h1:kpgPA77kSSbjSs+fWHkPTxQ6J5Z2Qkruo5jfXEkHxNQ= 18 | cloud.google.com/go v0.74.0/go.mod h1:VV1xSbzvo+9QJOxLDaJfTjx5e+MePCpCWwvftOeQmWk= 19 | cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o= 20 | cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE= 21 | cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc= 22 | cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg= 23 | cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc= 24 | cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ= 25 | cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE= 26 | cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk= 27 | cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I= 28 | cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw= 29 | cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA= 30 | cloud.google.com/go/pubsub v1.3.1/go.mod h1:i+ucay31+CNRpDW4Lu78I4xXG+O1r/MAHgjpRVR+TSU= 31 | cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw= 32 | cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0ZeosJ0Rtdos= 33 | cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk= 34 | cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs= 35 | cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0= 36 | dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= 37 | github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= 38 | github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= 39 | github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= 40 | github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= 41 | github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= 42 | github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= 43 | github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= 44 | github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= 45 | github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= 46 | github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= 47 | github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= 48 | github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= 49 | github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= 50 | github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5ynNVH9qI8YYLbd1fK2po= 51 | github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= 52 | github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU= 53 | github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= 54 | github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= 55 | github.com/go-gremlin/gremlin v0.0.0-20180314122959-0036b9fca17f h1:1XPSqvFQZqqg87/56Cz6YTMsJR05OmlfO/YGyBn8reE= 56 | github.com/go-gremlin/gremlin v0.0.0-20180314122959-0036b9fca17f/go.mod h1:S4LPoDx6IQNn8uwT9EZw3kF21i9cxnjAE55PKNkpvAw= 57 | github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b h1:VKtxabqXZkF25pY9ekfRL6a582T4P37/31XEstQ5p58= 58 | github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= 59 | github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= 60 | github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= 61 | github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e h1:1r7pUrabqp18hOBcwBwiTsbnFeTZHV9eER/QT5JVZxY= 62 | github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= 63 | github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= 64 | github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= 65 | github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y= 66 | github.com/golang/mock v1.4.0/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= 67 | github.com/golang/mock v1.4.1/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= 68 | github.com/golang/mock v1.4.3/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= 69 | github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71h+4= 70 | github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= 71 | github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= 72 | github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= 73 | github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= 74 | github.com/golang/protobuf v1.3.4/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= 75 | github.com/golang/protobuf v1.3.5/go.mod h1:6O5/vntMXwX2lRkT1hjjk0nAC1IDOTvTlVgjlRvqsdk= 76 | github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8= 77 | github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA= 78 | github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs= 79 | github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w= 80 | github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0= 81 | github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8= 82 | github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= 83 | github.com/golang/protobuf v1.4.3 h1:JjCZWpVbqXDqFVmTfYWEVTMIYrL/NPdPSCHPJ0T/raM= 84 | github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= 85 | github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= 86 | github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= 87 | github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= 88 | github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= 89 | github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= 90 | github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= 91 | github.com/google/go-cmp v0.4.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= 92 | github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= 93 | github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= 94 | github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= 95 | github.com/google/go-cmp v0.5.4 h1:L8R9j+yAqZuZjsqh/z+F1NCffTKKLShY6zXTItVIZ8M= 96 | github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= 97 | github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= 98 | github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= 99 | github.com/google/martian/v3 v3.1.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= 100 | github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= 101 | github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= 102 | github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= 103 | github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= 104 | github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= 105 | github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= 106 | github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= 107 | github.com/google/pprof v0.0.0-20201023163331-3e6fc7fc9c4c/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= 108 | github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= 109 | github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= 110 | github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= 111 | github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= 112 | github.com/googleapis/gax-go/v2 v2.0.5 h1:sjZBwGj9Jlw33ImPtvFviGYvseOtDM7hkSKB7+Tv3SM= 113 | github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= 114 | github.com/gorilla/websocket v1.4.2 h1:+/TMaTYc4QFitKJxsQ7Yye35DkWvkdLcvGKqM+x0Ufc= 115 | github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= 116 | github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= 117 | github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= 118 | github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= 119 | github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= 120 | github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= 121 | github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk= 122 | github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= 123 | github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= 124 | github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= 125 | github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= 126 | github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= 127 | github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= 128 | github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= 129 | github.com/satori/go.uuid v1.2.0 h1:0uYX9dsZ2yD7q2RtLRtPSdGDWzjeM3TbMJP9utgA0ww= 130 | github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0= 131 | github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= 132 | github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= 133 | github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= 134 | github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= 135 | github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= 136 | github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= 137 | github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= 138 | go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= 139 | go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= 140 | go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= 141 | go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= 142 | go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= 143 | go.opencensus.io v0.22.5 h1:dntmOdLpSpHlVqbW5Eay97DelsZHe+55D+xC6i0dDS0= 144 | go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk= 145 | golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= 146 | golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= 147 | golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= 148 | golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= 149 | golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= 150 | golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= 151 | golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= 152 | golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= 153 | golang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm080zCjGlMRFzhUhsZKEZO7MGek= 154 | golang.org/x/exp v0.0.0-20191030013958-a1ab85dbe136/go.mod h1:JXzH8nQsPlswgeRAPE3MuO9GYsAcnJvJ4vnMwN/5qkY= 155 | golang.org/x/exp v0.0.0-20191129062945-2f5052295587/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= 156 | golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= 157 | golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= 158 | golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM= 159 | golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU= 160 | golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= 161 | golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= 162 | golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= 163 | golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= 164 | golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= 165 | golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= 166 | golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= 167 | golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= 168 | golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= 169 | golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs= 170 | golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= 171 | golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= 172 | golang.org/x/lint v0.0.0-20201208152925-83fdc39ff7b5/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= 173 | golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE= 174 | golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o= 175 | golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc= 176 | golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY= 177 | golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= 178 | golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= 179 | golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= 180 | golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= 181 | golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= 182 | golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= 183 | golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= 184 | golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= 185 | golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= 186 | golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= 187 | golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= 188 | golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= 189 | golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= 190 | golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= 191 | golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= 192 | golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= 193 | golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= 194 | golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= 195 | golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= 196 | golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= 197 | golang.org/x/net v0.0.0-20200222125558-5a598a2470a0/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= 198 | golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= 199 | golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= 200 | golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= 201 | golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= 202 | golang.org/x/net v0.0.0-20200506145744-7e3656a0809f/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= 203 | golang.org/x/net v0.0.0-20200513185701-a91f0712d120/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= 204 | golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= 205 | golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= 206 | golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= 207 | golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= 208 | golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= 209 | golang.org/x/net v0.0.0-20201031054903-ff519b6c9102/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= 210 | golang.org/x/net v0.0.0-20201209123823-ac852fbbde11 h1:lwlPPsmjDKK0J6eG6xDWd5XPehI0R024zxjDnw3esPA= 211 | golang.org/x/net v0.0.0-20201209123823-ac852fbbde11/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= 212 | golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= 213 | golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= 214 | golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= 215 | golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= 216 | golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= 217 | golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= 218 | golang.org/x/oauth2 v0.0.0-20201109201403-9fd604954f58/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= 219 | golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5 h1:Lm4OryKCca1vehdsWogr9N4t7NfZxLbJoc/H0w4K4S4= 220 | golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= 221 | golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 222 | golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 223 | golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 224 | golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 225 | golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 226 | golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 227 | golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 228 | golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 229 | golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 230 | golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 231 | golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= 232 | golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= 233 | golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 234 | golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 235 | golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 236 | golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 237 | golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 238 | golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 239 | golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 240 | golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 241 | golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 242 | golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 243 | golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 244 | golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 245 | golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 246 | golang.org/x/sys v0.0.0-20200212091648-12a6c2dcc1e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 247 | golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 248 | golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 249 | golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 250 | golang.org/x/sys v0.0.0-20200331124033-c3d80250170d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 251 | golang.org/x/sys v0.0.0-20200501052902-10377860bb8e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 252 | golang.org/x/sys v0.0.0-20200511232937-7e40ca221e25/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 253 | golang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 254 | golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 255 | golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 256 | golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 257 | golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 258 | golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 259 | golang.org/x/sys v0.0.0-20201201145000-ef89a241ccb3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 260 | golang.org/x/sys v0.0.0-20210104204734-6f8348627aad h1:MCsdmFSdEd4UEa5TKS5JztCRHK/WtvNei1edOj5RSRo= 261 | golang.org/x/sys v0.0.0-20210104204734-6f8348627aad/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 262 | golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= 263 | golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= 264 | golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= 265 | golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= 266 | golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= 267 | golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= 268 | golang.org/x/text v0.3.4 h1:0YWbFKbhXG/wIiuHDSKpS0Iy7FSA+u45VtBMfQcFTTc= 269 | golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= 270 | golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= 271 | golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= 272 | golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= 273 | golang.org/x/time v0.0.0-20201208040808-7e3f01d25324 h1:Hir2P/De0WpUhtrKGGjvSb2YxUgyZ7EFOSLIcSSpiwE= 274 | golang.org/x/time v0.0.0-20201208040808-7e3f01d25324/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= 275 | golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= 276 | golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= 277 | golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= 278 | golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= 279 | golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= 280 | golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= 281 | golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= 282 | golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= 283 | golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= 284 | golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= 285 | golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= 286 | golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= 287 | golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= 288 | golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= 289 | golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= 290 | golang.org/x/tools v0.0.0-20191113191852-77e3bb0ad9e7/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= 291 | golang.org/x/tools v0.0.0-20191115202509-3a792d9c32b2/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= 292 | golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= 293 | golang.org/x/tools v0.0.0-20191125144606-a911d9008d1f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= 294 | golang.org/x/tools v0.0.0-20191130070609-6e064ea0cf2d/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= 295 | golang.org/x/tools v0.0.0-20191216173652-a0e659d51361/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= 296 | golang.org/x/tools v0.0.0-20191227053925-7b8e75db28f4/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= 297 | golang.org/x/tools v0.0.0-20200117161641-43d50277825c/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= 298 | golang.org/x/tools v0.0.0-20200122220014-bf1340f18c4a/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= 299 | golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= 300 | golang.org/x/tools v0.0.0-20200204074204-1cc6d1ef6c74/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= 301 | golang.org/x/tools v0.0.0-20200207183749-b753a1ba74fa/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= 302 | golang.org/x/tools v0.0.0-20200212150539-ea181f53ac56/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= 303 | golang.org/x/tools v0.0.0-20200224181240-023911ca70b2/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= 304 | golang.org/x/tools v0.0.0-20200227222343-706bc42d1f0d/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= 305 | golang.org/x/tools v0.0.0-20200304193943-95d2e580d8eb/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw= 306 | golang.org/x/tools v0.0.0-20200312045724-11d5b4c81c7d/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw= 307 | golang.org/x/tools v0.0.0-20200331025713-a30bf2db82d4/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8= 308 | golang.org/x/tools v0.0.0-20200501065659-ab2804fb9c9d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= 309 | golang.org/x/tools v0.0.0-20200512131952-2bc93b1c0c88/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= 310 | golang.org/x/tools v0.0.0-20200515010526-7d3b6ebf133d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= 311 | golang.org/x/tools v0.0.0-20200618134242-20370b0cb4b2/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= 312 | golang.org/x/tools v0.0.0-20200729194436-6467de6f59a7/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= 313 | golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= 314 | golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= 315 | golang.org/x/tools v0.0.0-20200904185747-39188db58858/go.mod h1:Cj7w3i3Rnn0Xh82ur9kSqwfTHTeVxaDqrfMjpcNT6bE= 316 | golang.org/x/tools v0.0.0-20201110124207-079ba7bd75cd/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= 317 | golang.org/x/tools v0.0.0-20201201161351-ac6f37ff4c2a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= 318 | golang.org/x/tools v0.0.0-20201208233053-a543418bbed2/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= 319 | golang.org/x/tools v0.0.0-20210105154028-b0ab187a4818/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= 320 | golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= 321 | golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= 322 | golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= 323 | golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= 324 | google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE= 325 | google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M= 326 | google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= 327 | google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= 328 | google.golang.org/api v0.13.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= 329 | google.golang.org/api v0.14.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= 330 | google.golang.org/api v0.15.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= 331 | google.golang.org/api v0.17.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= 332 | google.golang.org/api v0.18.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= 333 | google.golang.org/api v0.19.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= 334 | google.golang.org/api v0.20.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= 335 | google.golang.org/api v0.22.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= 336 | google.golang.org/api v0.24.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE= 337 | google.golang.org/api v0.28.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE= 338 | google.golang.org/api v0.29.0/go.mod h1:Lcubydp8VUV7KeIHD9z2Bys/sm/vGKnG1UHuDBSrHWM= 339 | google.golang.org/api v0.30.0/go.mod h1:QGmEvQ87FHZNiUVJkT14jQNYJ4ZJjdRF23ZXz5138Fc= 340 | google.golang.org/api v0.35.0/go.mod h1:/XrVsuzM0rZmrsbjJutiuftIzeuTQcEeaYcSk/mQ1dg= 341 | google.golang.org/api v0.36.0/go.mod h1:+z5ficQTmoYpPn8LCUNVpK5I7hwkpjbcgqA7I34qYtE= 342 | google.golang.org/api v0.39.0 h1:zHCTXf0NeDdKTgcSQpT+ZflWAqHsEp1GmdpxW09f3YM= 343 | google.golang.org/api v0.39.0/go.mod h1:fYKFpnQN0DsDSKRVRcQSDQNtqWPfM9i+zNPxepjRCQ8= 344 | google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= 345 | google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= 346 | google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= 347 | google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0= 348 | google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= 349 | google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= 350 | google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= 351 | google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= 352 | google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= 353 | google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= 354 | google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= 355 | google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= 356 | google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= 357 | google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= 358 | google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8= 359 | google.golang.org/genproto v0.0.0-20191108220845-16a3f7862a1a/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= 360 | google.golang.org/genproto v0.0.0-20191115194625-c23dd37a84c9/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= 361 | google.golang.org/genproto v0.0.0-20191216164720-4f79533eabd1/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= 362 | google.golang.org/genproto v0.0.0-20191230161307-f3c370f40bfb/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= 363 | google.golang.org/genproto v0.0.0-20200115191322-ca5a22157cba/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= 364 | google.golang.org/genproto v0.0.0-20200122232147-0452cf42e150/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= 365 | google.golang.org/genproto v0.0.0-20200204135345-fa8e72b47b90/go.mod h1:GmwEX6Z4W5gMy59cAlVYjN9JhxgbQH6Gn+gFDQe2lzA= 366 | google.golang.org/genproto v0.0.0-20200212174721-66ed5ce911ce/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= 367 | google.golang.org/genproto v0.0.0-20200224152610-e50cd9704f63/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= 368 | google.golang.org/genproto v0.0.0-20200228133532-8c2c7df3a383/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= 369 | google.golang.org/genproto v0.0.0-20200305110556-506484158171/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= 370 | google.golang.org/genproto v0.0.0-20200312145019-da6875a35672/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= 371 | google.golang.org/genproto v0.0.0-20200331122359-1ee6d9798940/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= 372 | google.golang.org/genproto v0.0.0-20200430143042-b979b6f78d84/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= 373 | google.golang.org/genproto v0.0.0-20200511104702-f5ebc3bea380/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= 374 | google.golang.org/genproto v0.0.0-20200515170657-fc4c6c6a6587/go.mod h1:YsZOwe1myG/8QRHRsmBRE1LrgQY60beZKjly0O1fX9U= 375 | google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= 376 | google.golang.org/genproto v0.0.0-20200618031413-b414f8b61790/go.mod h1:jDfRM7FcilCzHH/e9qn6dsT145K34l5v+OpcnNgKAAA= 377 | google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= 378 | google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= 379 | google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= 380 | google.golang.org/genproto v0.0.0-20200904004341-0bd0a958aa1d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= 381 | google.golang.org/genproto v0.0.0-20201109203340-2640f1f9cdfb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= 382 | google.golang.org/genproto v0.0.0-20201201144952-b05cb90ed32e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= 383 | google.golang.org/genproto v0.0.0-20201210142538-e3217bee35cc/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= 384 | google.golang.org/genproto v0.0.0-20201214200347-8c77b98c765d h1:HV9Z9qMhQEsdlvxNFELgQ11RkMzO3CMkjEySjCtuLes= 385 | google.golang.org/genproto v0.0.0-20201214200347-8c77b98c765d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= 386 | google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= 387 | google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= 388 | google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= 389 | google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= 390 | google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= 391 | google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= 392 | google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= 393 | google.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= 394 | google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKal+60= 395 | google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk= 396 | google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= 397 | google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= 398 | google.golang.org/grpc v1.31.1/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= 399 | google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= 400 | google.golang.org/grpc v1.34.0 h1:raiipEjMOIC/TO2AvyTxP25XFdLxNIBwzDh3FM3XztI= 401 | google.golang.org/grpc v1.34.0/go.mod h1:WotjhfgOW/POjDeRt8vscBtXq+2VjORFy659qA51WJ8= 402 | google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= 403 | google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= 404 | google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= 405 | google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE= 406 | google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo= 407 | google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= 408 | google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= 409 | google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= 410 | google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4= 411 | google.golang.org/protobuf v1.25.0 h1:Ejskq+SyPohKW+1uil0JJMtmHCgJPJ/qWTxr8qp+R4c= 412 | google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= 413 | gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= 414 | gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= 415 | gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= 416 | gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= 417 | honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= 418 | honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= 419 | honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= 420 | honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= 421 | honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= 422 | honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= 423 | honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= 424 | rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= 425 | rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= 426 | rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= 427 | -------------------------------------------------------------------------------- /query/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "bytes" 5 | "context" 6 | "errors" 7 | "flag" 8 | "fmt" 9 | "io/ioutil" 10 | "regexp" 11 | "strings" 12 | "time" 13 | 14 | asset "cloud.google.com/go/asset/apiv1" 15 | "github.com/golang/glog" 16 | "github.com/golang/protobuf/jsonpb" 17 | 18 | //"google.golang.org/protobuf" 19 | "golang.org/x/oauth2" 20 | "golang.org/x/oauth2/google" 21 | 22 | gcperrors "github.com/salrashid123/gcp_error_handler/golang/errors" 23 | 24 | "google.golang.org/api/bigquery/v2" 25 | 26 | crmv1 "google.golang.org/api/cloudresourcemanager/v1" 27 | crmv2 "google.golang.org/api/cloudresourcemanager/v2" 28 | "google.golang.org/api/compute/v1" 29 | "google.golang.org/api/iap/v1" 30 | "google.golang.org/api/run/v2" 31 | "google.golang.org/api/spanner/v1" 32 | "google.golang.org/api/storage/v1" 33 | 34 | "google.golang.org/api/impersonate" 35 | "google.golang.org/api/iterator" 36 | "google.golang.org/api/option" 37 | 38 | //"google.golang.org/api/container/v1" 39 | 40 | "google.golang.org/api/iam/v1" 41 | assetpb "google.golang.org/genproto/googleapis/cloud/asset/v1" 42 | 43 | policytroubleshooter "cloud.google.com/go/policytroubleshooter/apiv1" 44 | policypb "google.golang.org/genproto/googleapis/cloud/policytroubleshooter/v1" 45 | 46 | storageAPI "cloud.google.com/go/storage" 47 | ) 48 | 49 | // https://cloud.google.com/iam/docs/full-resource-names 50 | const ( 51 | bigqueryTablesRegex = "//bigquery.googleapis.com/projects/(.+)/datasets/(.+)/tables/(.+)" 52 | bigqueryDatasetRegex = "//bigquery.googleapis.com/projects/(.+)/datasets/(.+)" 53 | iamServiceAccountsRegex = "//iam.googleapis.com/projects/(.+)/serviceAccounts/(.+)" 54 | serviceAccountsKeysRegex = "//iam.googleapis.com/projects/(.+)/serviceAccounts/(.+)/keys/(.+)" 55 | iapAppEngineRegex = "//iap.googleapis.com/projects/(.+)/iap_web/appengine-(.+)/services/(.+)" 56 | iapGCERegex = "//iap.googleapis.com/projects/(.+)/iap_web/compute/services/(.+)" 57 | spannerInstances = "//spanner.googleapis.com/projects/(.+)/instances/(.+)" 58 | storageBucketsRegex = "//storage.googleapis.com/projects/_/buckets/(.+)" 59 | computeInstanceRegex = "//compute.googleapis.com/projects/(.+)/zones/(.+)/instances/(.+)$" 60 | computeNetworksRegex = "//compute.googleapis.com/projects/(.+)/global/networks/(.+)" 61 | computeSubNetworksRegex = "//compute.googleapis.com/projects/(.+)/regions/(.+)/subnetworks/(.+)" 62 | kubernetesEngineRegex = "//container.googleapis.com/projects/(.+)/clusters/(.+)" 63 | pubsubTopicsRegex = "//pubsub.googleapis.com/projects/(.+)/topics/(.+)" 64 | resourceManagerOrganizationRegex = "//cloudresourcemanager.googleapis.com/organizations/(.+)" 65 | resourceManagerProjectsRegex = "//cloudresourcemanager.googleapis.com/projects/(.+)" 66 | resourceManagerFoldersRegex = "//cloudresourcemanager.googleapis.com/folders/(.+)" 67 | cloudRunRegex = "//run.googleapis.com/projects/(.+)/locations/(.+)/services/(.+)" 68 | 69 | // https://cloud.google.com/asset-inventory/docs/supported-asset-types#analyzable_asset_types 70 | 71 | assetTypeBQDataset = "bigquery.googleapis.com/Dataset" 72 | assetTypeBQTable = "bigquery.googleapis.com/Table" 73 | assetTypeGCS = "storage.googleapis.com/Bucket" 74 | assetTypeAppEngineService = "appengine.googleapis.com/Service" 75 | assetTypeBackendService = "compute.googleapis.com/BackendService" 76 | assetTypeFolder = "cloudresourcemanager.googleapis.com/Folder" 77 | assetTypeOrganization = "cloudresourcemanager.googleapis.com/Organization" 78 | assetTypeProject = "cloudresourcemanager.googleapis.com/Project" 79 | assetTypeServiceAccount = "iam.googleapis.com/ServiceAccount" 80 | assetTypeServiceAccountKey = "iam.googleapis.com/ServiceAccountKey" 81 | assetTypeGCEInstance = "compute.googleapis.com/Instance" 82 | assetTypeCloudRunService = "run.googleapis.com/Service" 83 | 84 | cloudPlatformScope = "https://www.googleapis.com/auth/cloud-platform" 85 | ) 86 | 87 | var ( 88 | scope = flag.String("scope", "", "Scope to check") 89 | checkResource = flag.String("checkResource", "", "Canonical Resource to check //storage.googleapis.com/projects/_/buckets/(.+)") 90 | identity = flag.String("identity", "", "Permission to check") 91 | impersonateServiceAccount = flag.String("impersonateServiceAccount", "", "ServiceAccount to impersonate") 92 | printPermissionsOnResource = flag.Bool("printPermissionsOnResource", false, "PrintPermission on target Resource") 93 | useIAMPolicyRequest = flag.Bool("useIAMPolicyRequest", false, "Use IAMPolicy API request (requires admin)") 94 | projectID = flag.String("projectID", "", "ProjectID for quota") 95 | 96 | usePolicyTroubleshooter = flag.Bool("usePolicyTroubleshooter", false, "Use policytroubleshooter API to check a given permission (requires admin)") 97 | permissionToCheck = flag.String("permissionToCheck", "", "Permission to check using policytroubleshooter API (requires admin)") 98 | enableImpersonatedCheck = flag.Bool("enableImpersonatedCheck", false, "Check for Impersonated credentials (default: false)") 99 | checkEndUserPermissions = flag.Bool("checkEndUserPermissions", false, "Enumerate end user permissions (default: false)") 100 | gcsDestinationForLongRunningAnalysis = flag.String("gcsDestinationForLongRunningAnalysis", "", "Destination gcs bucket to write LongRunningAnalysis (in format gcs://fabled-ray-104117-bucket)") 101 | ) 102 | 103 | func init() { 104 | } 105 | 106 | func getPermissions(ctx context.Context, ts oauth2.TokenSource, resource string) ([]string, error) { 107 | glog.V(2).Infof("================ QueryTestablePermissions with Resource ======================\n") 108 | glog.V(2).Infof(" %s \n ", resource) 109 | 110 | if *checkResource == "" { 111 | return nil, errors.New("must specify checkResource") 112 | } 113 | 114 | iamService, err := iam.NewService(ctx, option.WithQuotaProject(*projectID)) 115 | if err != nil { 116 | glog.Fatal(err) 117 | } 118 | ors := iam.NewPermissionsService(iamService) 119 | 120 | var permstoTest []string 121 | 122 | perms := make([]*iam.Permission, 0) 123 | nextPageToken := "" 124 | for { 125 | ps, err := ors.QueryTestablePermissions(&iam.QueryTestablePermissionsRequest{ 126 | FullResourceName: resource, 127 | PageToken: nextPageToken, 128 | }).Do() 129 | if err != nil { 130 | return nil, errors.New("could not iterate testable permissions") 131 | } 132 | glog.V(20).Infof("================ Getting Permissions %v\n", ps.NextPageToken) 133 | 134 | for _, sa := range ps.Permissions { 135 | glog.V(30).Infof(" Adding Permission to check %s\n", sa.Name) 136 | perms = append(perms, sa) 137 | } 138 | 139 | nextPageToken = ps.NextPageToken 140 | if nextPageToken == "" { 141 | break 142 | } 143 | 144 | } 145 | 146 | glog.V(15).Infof("Testable permissions on resource:\n") 147 | for _, p := range perms { 148 | glog.V(20).Infof(" %s", p.Name) 149 | permstoTest = append(permstoTest, p.Name) 150 | } 151 | 152 | return permstoTest, nil 153 | } 154 | 155 | func main() { 156 | flag.Parse() 157 | 158 | ctx := context.Background() 159 | 160 | s := []string{cloudPlatformScope} 161 | 162 | var err error 163 | var ts oauth2.TokenSource 164 | 165 | if *impersonateServiceAccount != "" { 166 | if *checkEndUserPermissions { 167 | glog.V(10).Infof("Impersonating User using service Account") 168 | // just users are supported 169 | email := strings.TrimPrefix(*identity, "user:") 170 | ts, err = impersonate.CredentialsTokenSource(ctx, impersonate.CredentialsConfig{ 171 | TargetPrincipal: *impersonateServiceAccount, 172 | Scopes: s, 173 | Subject: email, 174 | }) 175 | } else { 176 | ts, err = impersonate.CredentialsTokenSource(ctx, impersonate.CredentialsConfig{ 177 | TargetPrincipal: *impersonateServiceAccount, 178 | Scopes: s, 179 | }) 180 | } 181 | } else { 182 | ts, err = google.DefaultTokenSource(ctx) 183 | } 184 | if err != nil { 185 | glog.Errorf("Unable to create Impersonated TokenSource %v ", err) 186 | return 187 | } 188 | 189 | var permstoTest []string 190 | if *printPermissionsOnResource { 191 | // Test Permississons 192 | permstoTest, err := getPermissions(ctx, ts, *checkResource) 193 | if err != nil { 194 | glog.Fatal(err) 195 | } 196 | err = verifyPermissionsAsUser(ctx, ts, *checkResource, permstoTest) 197 | if err != nil { 198 | glog.Fatal(err) 199 | } 200 | return 201 | } 202 | 203 | // *************************************************************************************************** 204 | 205 | if *useIAMPolicyRequest { 206 | 207 | glog.V(2).Infof("Getting AnalyzeIamPolicyRequest") 208 | creds, err := google.FindDefaultCredentials(ctx) 209 | if err != nil { 210 | glog.Fatal(err) 211 | } 212 | proj := creds.ProjectID 213 | 214 | if *projectID != "" { 215 | proj = *projectID 216 | } 217 | assetClient, err := asset.NewClient(ctx, option.WithQuotaProject(proj), option.WithTokenSource(ts)) 218 | if err != nil { 219 | glog.Fatal(err) 220 | } 221 | 222 | if *identity == "" { 223 | glog.Fatal("--identity flag required for AnalyzeIamPolicyRequest") 224 | } 225 | if !*enableImpersonatedCheck { 226 | req := &assetpb.AnalyzeIamPolicyRequest{ 227 | AnalysisQuery: &assetpb.IamPolicyAnalysisQuery{ 228 | Scope: *scope, 229 | ResourceSelector: &assetpb.IamPolicyAnalysisQuery_ResourceSelector{ 230 | FullResourceName: *checkResource, 231 | }, 232 | IdentitySelector: &assetpb.IamPolicyAnalysisQuery_IdentitySelector{ 233 | Identity: *identity, 234 | }, 235 | Options: &assetpb.IamPolicyAnalysisQuery_Options{ 236 | ExpandGroups: true, 237 | OutputGroupEdges: true, 238 | ExpandResources: true, 239 | ExpandRoles: true, 240 | OutputResourceEdges: true, 241 | AnalyzeServiceAccountImpersonation: *enableImpersonatedCheck, 242 | }, 243 | }, 244 | } 245 | resp, err := assetClient.AnalyzeIamPolicy(ctx, req) 246 | if err != nil { 247 | err := handleError(err) 248 | if err != nil { 249 | glog.Fatal(err) 250 | } 251 | return 252 | } 253 | for _, result := range resp.MainAnalysis.AnalysisResults { 254 | 255 | for _, acl := range result.AccessControlLists { 256 | glog.V(2).Infof(" %s has access to resource %s", *identity, acl.Resources) 257 | glog.V(2).Infof(" with capability %s", acl.Accesses) 258 | glog.V(2).Infof(" from node [%s]\n", result.AttachedResourceFullName) 259 | } 260 | 261 | if result.IamBinding.Condition != nil { 262 | glog.V(2).Infof(" With Condition [%s]\n", result.IamBinding.Condition.Expression) 263 | } 264 | 265 | if stringInSlice(*identity, result.IamBinding.Members) { 266 | glog.V(2).Info(" user is directly included in the role binding ") 267 | } else { 268 | glog.V(2).Info(" user is included in the role binding through a group hierarchy: ", getIdentityAncestry(result.IdentityList, *identity, []string{*identity})) 269 | } 270 | } 271 | if len(resp.MainAnalysis.AnalysisResults) == 0 { 272 | glog.V(2).Infof(" %s does not access to resource %s", *identity, *checkResource) 273 | } 274 | } else { 275 | fileName := time.Now().UTC().Format("20060102150405") 276 | req := &assetpb.AnalyzeIamPolicyLongrunningRequest{ 277 | AnalysisQuery: &assetpb.IamPolicyAnalysisQuery{ 278 | Scope: *scope, 279 | ResourceSelector: &assetpb.IamPolicyAnalysisQuery_ResourceSelector{ 280 | FullResourceName: *checkResource, 281 | }, 282 | IdentitySelector: &assetpb.IamPolicyAnalysisQuery_IdentitySelector{ 283 | Identity: *identity, 284 | }, 285 | Options: &assetpb.IamPolicyAnalysisQuery_Options{ 286 | ExpandGroups: true, 287 | OutputGroupEdges: true, 288 | ExpandResources: true, 289 | ExpandRoles: true, 290 | OutputResourceEdges: true, 291 | AnalyzeServiceAccountImpersonation: *enableImpersonatedCheck, 292 | }, 293 | }, 294 | OutputConfig: &assetpb.IamPolicyAnalysisOutputConfig{ 295 | Destination: &assetpb.IamPolicyAnalysisOutputConfig_GcsDestination_{ 296 | GcsDestination: &assetpb.IamPolicyAnalysisOutputConfig_GcsDestination{ 297 | Uri: fmt.Sprintf("%s/%s", *gcsDestinationForLongRunningAnalysis, fileName), 298 | }, 299 | }, 300 | }, 301 | } 302 | 303 | op, err := assetClient.AnalyzeIamPolicyLongrunning(ctx, req) 304 | if err != nil { 305 | err := handleError(err) 306 | if err != nil { 307 | glog.Fatal(err) 308 | } 309 | return 310 | } 311 | 312 | _, err = op.Wait(ctx) 313 | if err != nil { 314 | err := handleError(err) 315 | if err != nil { 316 | glog.Fatal(err) 317 | } 318 | return 319 | } 320 | 321 | glog.V(2).Infof(" Result written to %s", fmt.Sprintf("%s/%s", *gcsDestinationForLongRunningAnalysis, fileName)) 322 | 323 | gcsClient, err := storageAPI.NewClient(ctx) 324 | if err != nil { 325 | err := handleError(err) 326 | if err != nil { 327 | glog.Fatal(err) 328 | } 329 | return 330 | } 331 | defer gcsClient.Close() 332 | bkt := gcsClient.Bucket(strings.TrimPrefix(*gcsDestinationForLongRunningAnalysis, "gs://")) 333 | 334 | rc, err := bkt.Object(fileName).NewReader(ctx) 335 | if err != nil { 336 | err := handleError(err) 337 | if err != nil { 338 | glog.Fatal(err) 339 | } 340 | return 341 | } 342 | defer rc.Close() 343 | slurp, err := ioutil.ReadAll(rc) 344 | if err != nil { 345 | err := handleError(err) 346 | if err != nil { 347 | glog.Fatal(err) 348 | } 349 | return 350 | } 351 | resp := assetpb.AnalyzeIamPolicyResponse{} 352 | var um = jsonpb.Unmarshaler{} 353 | um.AllowUnknownFields = true 354 | err = um.Unmarshal(bytes.NewReader(slurp), &resp) 355 | if err != nil { 356 | err := handleError(err) 357 | if err != nil { 358 | glog.Fatal(err) 359 | } 360 | return 361 | } 362 | glog.V(20).Infof(" Parsed AnalyzeIamPolicyResponse from %s", fmt.Sprintf("%s/%s", *gcsDestinationForLongRunningAnalysis, fileName)) 363 | 364 | for _, result := range resp.MainAnalysis.AnalysisResults { 365 | 366 | for _, acl := range result.AccessControlLists { 367 | glog.V(2).Infof(" %s has access to resource %s", *identity, acl.Resources) 368 | glog.V(2).Infof(" with capability %s", acl.Accesses) 369 | glog.V(2).Infof(" from node [%s]\n", result.AttachedResourceFullName) 370 | } 371 | 372 | if result.IamBinding.Condition != nil { 373 | glog.V(2).Infof(" With Condition [%s]\n", result.IamBinding.Condition.Expression) 374 | } 375 | 376 | if stringInSlice(*identity, result.IamBinding.Members) { 377 | glog.V(2).Info(" user is directly included in the role binding ") 378 | } else { 379 | glog.V(2).Info(" user is included in the role binding through a group hierarchy: ", getIdentityAncestry(result.IdentityList, *identity, []string{*identity})) 380 | } 381 | } 382 | recurseDelegationForResource(*identity, *checkResource, resp) 383 | } 384 | 385 | return 386 | } else if *usePolicyTroubleshooter { 387 | if *permissionToCheck == "" || *checkResource == "" || *identity == "" { 388 | glog.Errorf("Specify, permissionToCheck, checkResource and identity must be specified") 389 | return 390 | } 391 | 392 | glog.V(2).Infof("Getting PolicyTroubleshooter") 393 | 394 | if len(strings.Split(*identity, ":")) > 1 { 395 | *identity = strings.Split(*identity, ":")[1] 396 | } 397 | creds, err := google.FindDefaultCredentials(ctx) 398 | if err != nil { 399 | glog.Fatal(err) 400 | } 401 | proj := creds.ProjectID 402 | 403 | if *projectID != "" { 404 | proj = *projectID 405 | } 406 | policyClient, err := policytroubleshooter.NewIamCheckerClient(ctx, option.WithQuotaProject(proj), option.WithTokenSource(ts)) 407 | if err != nil { 408 | glog.Fatal(err) 409 | } 410 | req := &policypb.TroubleshootIamPolicyRequest{ 411 | AccessTuple: &policypb.AccessTuple{ 412 | Principal: *identity, 413 | FullResourceName: *checkResource, 414 | Permission: *permissionToCheck, 415 | }, 416 | } 417 | resp, err := policyClient.TroubleshootIamPolicy(ctx, req) 418 | if err != nil { 419 | err := handleError(err) 420 | if err != nil { 421 | glog.Fatal(err) 422 | } 423 | return 424 | } 425 | 426 | glog.V(10).Infof(" User's AccessState %s\n", resp.Access) 427 | 428 | for _, r := range resp.ExplainedPolicies { 429 | if r.Access == policypb.AccessState_GRANTED { 430 | glog.V(10).Infof(" User's AccessState granted at %s\n", r.FullResourceName) 431 | // for _, b := range r.Policy.Bindings { 432 | // glog.V(20).Infof(" which has roles %s\n", b.Role) 433 | // } 434 | for _, be := range r.BindingExplanations { 435 | if be.Access == policypb.AccessState_GRANTED { 436 | glog.V(10).Infof(" user has binding with permission via roles %s\n", be.Role) 437 | glog.V(10).Infof(" through membership %s\n", be.Memberships) 438 | } 439 | } 440 | } 441 | if r.Access == policypb.AccessState_UNKNOWN_CONDITIONAL { 442 | glog.V(10).Infof(" User may have Conditional access %s\n", r.FullResourceName) 443 | } 444 | } 445 | } 446 | 447 | glog.V(10).Infof("================ Determining Hierarchy for resource %s\n", *checkResource) 448 | 449 | err = getScopedRoles(ctx, ts, *checkResource, *scope, permstoTest) 450 | if err != nil { 451 | err := handleError(err) 452 | if err != nil { 453 | glog.Fatal(err) 454 | } 455 | return 456 | } 457 | } 458 | 459 | func getScopedRoles(ctx context.Context, ts oauth2.TokenSource, resource string, scope string, permissionList []string) error { 460 | 461 | glog.V(2).Infof("Getting ScopedPermission for resource [%s] in scope [%s]", resource, scope) 462 | 463 | // TODO: combine code below with verifyPermissionAsUser() function since the same checks are done there 464 | 465 | var assetType string 466 | var query string 467 | 468 | // BQ Tables 469 | // bigquery.googleapis.com/projects/project-id/datasets/dataset-id/tables/table-id 470 | // bigqueryTablesRegex = "//bigquery.googleapis.com/projects/(.+)/datasets/(.+)/tables/(.+)" 471 | re := regexp.MustCompile(bigqueryTablesRegex) 472 | res := re.FindStringSubmatch(resource) 473 | if len(res) == 4 { 474 | glog.V(2).Infof("==== Scoped Resource is BigQuery Table ==== %s\n", res[1]) 475 | var bigQueryService *bigquery.Service 476 | assetType = assetTypeBQTable 477 | query = res[3] 478 | 479 | bigQueryService, err := bigquery.NewService(ctx, option.WithTokenSource(ts)) 480 | if err != nil { 481 | return err 482 | } 483 | resource := fmt.Sprintf("projects/%s/datasets/%s/tables/%s", res[1], res[2], res[3]) 484 | p, err := bigQueryService.Tables.GetIamPolicy(resource, &bigquery.GetIamPolicyRequest{}).Do() 485 | if err != nil { 486 | err := handleError(err) 487 | if err != nil { 488 | glog.Fatal(err) 489 | } 490 | return err 491 | } 492 | for _, b := range p.Bindings { 493 | glog.V(2).Infof(" Roles ==== %s\n", b.Role) 494 | } 495 | } 496 | // BQ Dataset 497 | // bigquery.googleapis.com/projects/project-id/datasets/dataset-id 498 | // bigqueryDatasetRegex = "//bigquery.googleapis.com/projects/(.+)/datasets/(.+)" 499 | re = regexp.MustCompile(bigqueryDatasetRegex) 500 | res = re.FindStringSubmatch(resource) 501 | if len(res) == 3 { 502 | glog.V(2).Infof("==== Scoped Resource is BigQuery Dataset ==== %s\n", res[1]) 503 | 504 | assetType = assetTypeBQDataset 505 | query = res[2] 506 | var bigQueryService *bigquery.Service 507 | 508 | bigQueryService, err := bigquery.NewService(ctx, option.WithTokenSource(ts)) 509 | if err != nil { 510 | return err 511 | } 512 | //resource := fmt.Sprintf("projects/%s/datasets/%s", res[1], res[2]) 513 | p, err := bigQueryService.Datasets.Get(res[1], res[2]).Do() 514 | if err != nil { 515 | err := handleError(err) 516 | if err != nil { 517 | glog.Fatal(err) 518 | } 519 | return err 520 | } 521 | for _, b := range p.Access { 522 | glog.V(2).Infof(" Roles ==== %s\n", b.Role) 523 | } 524 | } 525 | 526 | // ServiceAccounts 527 | // iam.googleapis.com/projects/project-id/serviceAccounts/service-account-email 528 | // iamServiceAccountsRegex = "//iam.googleapis.com/projects/(.+)/serviceAccounts/(.+)" 529 | 530 | re = regexp.MustCompile(iamServiceAccountsRegex) 531 | res = re.FindStringSubmatch(*checkResource) 532 | if len(res) == 3 { 533 | glog.V(2).Infof("==== Scoped Resource is Service Accounts ==== %s\n", res[2]) 534 | assetType = assetTypeGCS 535 | query = res[1] 536 | 537 | iamService, err := iam.NewService(ctx) 538 | if err != nil { 539 | glog.Fatal(err) 540 | } 541 | 542 | svcAccountPolicy, err := iamService.Projects.ServiceAccounts.GetIamPolicy(fmt.Sprintf("projects/%s/serviceAccounts/%s", res[1], res[2])).Do() 543 | if err != nil { 544 | err := handleError(err) 545 | if err != nil { 546 | glog.Fatal(err) 547 | } 548 | return err 549 | } 550 | for _, b := range svcAccountPolicy.Bindings { 551 | glog.V(2).Infof(" Roles ==== %s\n", b.Role) 552 | } 553 | } 554 | 555 | // IAP AppEngine 556 | // //iap.googleapis.com/projects/project-number/iap_web/appengine-project-id/services/app-service-id 557 | // iapAppEngineRegex = "//iap.googleapis.com/projects/(.+)/iap_web/appengine-(.+)/services/(.+)" 558 | re = regexp.MustCompile(iapAppEngineRegex) 559 | res = re.FindStringSubmatch(*checkResource) 560 | if len(res) == 4 { 561 | glog.V(2).Infof("==== Resource is IAP AppEngine Resource ==== %s\n", res[2]) 562 | 563 | assetType = assetTypeAppEngineService 564 | query = res[2] 565 | var iapService *iap.Service 566 | 567 | iapService, err := iap.NewService(ctx, option.WithTokenSource(ts)) 568 | if err != nil { 569 | return err 570 | } 571 | 572 | ciamResp, err := iapService.V1.GetIamPolicy(fmt.Sprintf("projects/%s/iap_web/appengine-%s/services/%s", res[1], res[2], res[3]), &iap.GetIamPolicyRequest{}).Do() 573 | if err != nil { 574 | glog.V(2).Infof(" Error getting IAM Permissions: %s\n", err) 575 | 576 | err := handleError(err) 577 | if err != nil { 578 | glog.Fatal(err) 579 | } 580 | return err 581 | } 582 | for _, b := range ciamResp.Bindings { 583 | glog.V(2).Infof(" Roles ==== %s\n", b.Role) 584 | } 585 | } 586 | 587 | // GCS: 588 | // assetTypeGCS=storage.googleapis.com/Bucket 589 | // storageBucketsRegex="//storage.googleapis.com/projects/_/buckets/(.+)" 590 | re = regexp.MustCompile(storageBucketsRegex) 591 | res = re.FindStringSubmatch(resource) 592 | if len(res) == 2 { 593 | glog.V(2).Infof("==== Scoped Resource is GCS Bucket ==== %s\n", res[1]) 594 | assetType = assetTypeGCS 595 | query = res[1] 596 | 597 | storageClient, err := storageAPI.NewClient(ctx) 598 | if err != nil { 599 | glog.Fatal(err) 600 | } 601 | 602 | bkt := storageClient.Bucket(res[1]) 603 | 604 | p, err := bkt.IAM().Policy(ctx) 605 | if err != nil { 606 | err := handleError(err) 607 | if err != nil { 608 | glog.Fatal(err) 609 | } 610 | return err 611 | } 612 | 613 | // TODO: handle custom roles and conditions 614 | // `projects/{PROJECT_ID}/roles/{CUSTOM_ROLE_ID} 615 | for _, n := range p.Roles() { 616 | glog.V(2).Infof(" Roles ==== %s\n", n) 617 | // roles/storage.objectViewer_withcond_71ee91d0ed30fbae053c 618 | // oirsp, err := ors.Get(string(n)).Do() 619 | // if err != nil { 620 | // err := handleError(err) 621 | // if err != nil { 622 | // glog.Fatal(err) 623 | // } 624 | // return nil, err 625 | // } 626 | // glog.V(2).Infof(" Role Description ==== %v\n", oirsp.IncludedPermissions) 627 | } 628 | } 629 | 630 | // IAP Backend Service 631 | // iap.googleapis.com/projects/project-number/iap_web/compute/services/backend-service-id or backend-service-name 632 | // iapGCERegex = "//iap.googleapis.com/projects/(.+)/iap_web/compute/services/(.+)"" 633 | re = regexp.MustCompile(iapGCERegex) 634 | res = re.FindStringSubmatch(resource) 635 | if len(res) == 3 { 636 | glog.V(2).Infof("==== Scoped Resource is IAP Backend Service ==== %s\n", res[2]) 637 | 638 | assetType = assetTypeBackendService 639 | query = res[2] 640 | var iapService *iap.Service 641 | 642 | iapService, err := iap.NewService(ctx, option.WithTokenSource(ts)) 643 | if err != nil { 644 | return err 645 | } 646 | 647 | ciamResp, err := iapService.V1.GetIamPolicy(fmt.Sprintf("projects/%s/iap_web/compute/services/%s", res[1], res[2]), &iap.GetIamPolicyRequest{}).Do() 648 | if err != nil { 649 | glog.V(2).Infof(" Error getting IAM Permissions: %s\n", err) 650 | 651 | err := handleError(err) 652 | if err != nil { 653 | glog.Fatal(err) 654 | } 655 | return err 656 | } 657 | for _, b := range ciamResp.Bindings { 658 | glog.V(2).Infof(" Roles ==== %s\n", b.Role) 659 | } 660 | } 661 | 662 | // GCE Instance 663 | // "compute.googleapis.com/Instance" 664 | // //compute.googleapis.com/projects/project-id/zones/zone/instances/instance-id 665 | // computeInstanceRegex = "//compute.googleapis.com/projects/(.+)/zones/(.+)/instances/(.+)$" 666 | re = regexp.MustCompile(computeInstanceRegex) 667 | res = re.FindStringSubmatch(resource) 668 | if len(res) == 4 { 669 | glog.V(2).Infof("==== Scoped Resource is GCE Instance ==== %s\n", res[3]) 670 | 671 | assetType = assetTypeGCEInstance 672 | query = res[3] 673 | var computeService *compute.Service 674 | 675 | computeService, err := compute.NewService(ctx, option.WithTokenSource(ts)) 676 | if err != nil { 677 | return err 678 | } 679 | 680 | ciamResp, err := computeService.Instances.GetIamPolicy(res[1], res[2], res[3]).Do() 681 | if err != nil { 682 | glog.V(2).Infof(" Error getting IAM Permissions: %s\n", err) 683 | 684 | err := handleError(err) 685 | if err != nil { 686 | glog.Fatal(err) 687 | } 688 | return err 689 | } 690 | for _, b := range ciamResp.Bindings { 691 | glog.V(2).Infof(" Roles ==== %s\n", b.Role) 692 | } 693 | } 694 | 695 | // Projects 696 | // resourceManagerProjectsRegex = "//cloudresourcemanager.googleapis.com/projects/(.+)" 697 | // assetTypeProject = "cloudresourcemanager.googleapis.com/Project" 698 | re = regexp.MustCompile(resourceManagerProjectsRegex) 699 | res = re.FindStringSubmatch(resource) 700 | if len(res) == 2 { 701 | glog.V(2).Infof("==== Scoped Resource is Project ==== %s\n", res[1]) 702 | 703 | assetType = assetTypeProject 704 | query = res[1] 705 | var crmService *crmv1.Service 706 | 707 | crmService, err := crmv1.NewService(ctx, option.WithTokenSource(ts)) 708 | if err != nil { 709 | return err 710 | } 711 | 712 | ciamResp, err := crmService.Projects.GetIamPolicy(res[1], &crmv1.GetIamPolicyRequest{}).Do() 713 | if err != nil { 714 | glog.V(2).Infof(" Error getting IAM Permissions: %s\n", err) 715 | 716 | err := handleError(err) 717 | if err != nil { 718 | glog.Fatal(err) 719 | } 720 | return err 721 | } 722 | for _, b := range ciamResp.Bindings { 723 | glog.V(2).Infof(" Roles ==== %s\n", b.Role) 724 | } 725 | } 726 | 727 | // Folders 728 | // resourceManagerFoldersRegex = "//cloudresourcemanager.googleapis.com/folders/(.+)" 729 | // assetTypeFolder = "cloudresourcemanager.googleapis.com/Folder" 730 | re = regexp.MustCompile(resourceManagerFoldersRegex) 731 | res = re.FindStringSubmatch(resource) 732 | if len(res) == 2 { 733 | glog.V(2).Infof("==== Scoped Resource is Folder ==== %s\n", res[1]) 734 | 735 | assetType = assetTypeFolder 736 | query = res[1] 737 | var crmService2 *crmv2.Service 738 | 739 | crmService2, err := crmv2.NewService(ctx, option.WithTokenSource(ts)) 740 | if err != nil { 741 | return err 742 | } 743 | 744 | ciamResp, err := crmService2.Folders.GetIamPolicy(fmt.Sprintf("folders/%s", res[1]), &crmv2.GetIamPolicyRequest{}).Do() 745 | if err != nil { 746 | glog.V(2).Infof(" Error getting IAM Permissions: %s\n", err) 747 | 748 | err := handleError(err) 749 | if err != nil { 750 | glog.Fatal(err) 751 | } 752 | return err 753 | } 754 | 755 | for _, b := range ciamResp.Bindings { 756 | glog.V(2).Infof(" Roles ==== %s\n", b.Role) 757 | } 758 | 759 | f, err := crmService2.Folders.Get(fmt.Sprintf("folders/%s", res[1])).Do() 760 | if err != nil { 761 | glog.V(2).Infof(" Error getting IAM Permissions: %s\n", err) 762 | 763 | err := handleError(err) 764 | if err != nil { 765 | glog.Fatal(err) 766 | } 767 | return err 768 | } 769 | glog.V(2).Infof(" Folder: [%s]\n", f.Name) 770 | ppolicy, err := crmService2.Folders.GetIamPolicy(f.Name, &crmv2.GetIamPolicyRequest{}).Context(ctx).Do() 771 | if err != nil { 772 | err := handleError(err) 773 | if err != nil { 774 | glog.Fatal(err) 775 | } 776 | return err 777 | } 778 | for _, b := range ppolicy.Bindings { 779 | glog.V(10).Infof(" Policy Binding %s", b.Role) 780 | } 781 | } 782 | 783 | // Organization 784 | // resourceManagerOrganizationRegex = "//cloudresourcemanager.googleapis.com/organizations/(.+)" 785 | // assetTypeFolder = "cloudresourcemanager.googleapis.com/Organization" 786 | re = regexp.MustCompile(resourceManagerOrganizationRegex) 787 | res = re.FindStringSubmatch(resource) 788 | if len(res) == 2 { 789 | glog.V(2).Infof("==== Scoped Resource is Folder ==== %s\n", res[1]) 790 | 791 | assetType = assetTypeOrganization 792 | query = res[1] 793 | var crmService1 *crmv1.Service 794 | 795 | crmService1, err := crmv1.NewService(ctx, option.WithTokenSource(ts)) 796 | if err != nil { 797 | return err 798 | } 799 | 800 | ciamResp, err := crmService1.Organizations.GetIamPolicy(fmt.Sprintf("organizations/%s", res[1]), &crmv1.GetIamPolicyRequest{}).Do() 801 | if err != nil { 802 | glog.V(2).Infof(" Error getting IAM Permissions: %s\n", err) 803 | 804 | err := handleError(err) 805 | if err != nil { 806 | glog.Fatal(err) 807 | } 808 | return err 809 | } 810 | for _, b := range ciamResp.Bindings { 811 | glog.V(2).Infof(" Roles ==== %s\n", b.Role) 812 | } 813 | 814 | f, err := crmService1.Organizations.Get(fmt.Sprintf("organizations/%s", res[1])).Do() 815 | if err != nil { 816 | glog.V(2).Infof(" Error getting IAM Permissions: %s\n", err) 817 | 818 | err := handleError(err) 819 | if err != nil { 820 | glog.Fatal(err) 821 | } 822 | return err 823 | } 824 | glog.V(2).Infof(" Organizations: [%s]\n", f.Name) 825 | ppolicy, err := crmService1.Organizations.GetIamPolicy(f.Name, &crmv1.GetIamPolicyRequest{}).Context(ctx).Do() 826 | if err != nil { 827 | err := handleError(err) 828 | if err != nil { 829 | glog.Fatal(err) 830 | } 831 | return err 832 | } 833 | for _, b := range ppolicy.Bindings { 834 | glog.V(10).Infof(" Policy Binding %s", b.Role) 835 | } 836 | } 837 | 838 | //******************************************************************************************************************* 839 | 840 | glog.V(2).Infof(" SearchingAssets of type [%s] with query [name:%s] \n", assetType, query) 841 | 842 | if assetType == assetTypeFolder || assetType == assetTypeOrganization { 843 | glog.V(2).Infof(" AssetType [%s] does not support GetAncestry()", assetType) 844 | return nil 845 | } 846 | assetClient, err := asset.NewClient(ctx, option.WithQuotaProject(*projectID), option.WithTokenSource(ts)) 847 | if err != nil { 848 | glog.Fatal(err) 849 | } 850 | req := &assetpb.SearchAllResourcesRequest{ 851 | Scope: scope, 852 | AssetTypes: []string{assetType}, 853 | Query: fmt.Sprintf("name:%s", query), 854 | } 855 | respItr := assetClient.SearchAllResources(ctx, req) 856 | for { 857 | r, err := respItr.Next() 858 | if err == iterator.Done { 859 | break 860 | } 861 | if err != nil { 862 | err := handleError(err) 863 | if err != nil { 864 | glog.Fatal(err) 865 | } 866 | return err 867 | } 868 | 869 | crmService1, err := crmv1.NewService(ctx) 870 | if err != nil { 871 | err := handleError(err) 872 | if err != nil { 873 | glog.Fatal(err) 874 | } 875 | return err 876 | } 877 | 878 | crmService2, err := crmv2.NewService(ctx) 879 | if err != nil { 880 | err := handleError(err) 881 | if err != nil { 882 | glog.Fatal(err) 883 | } 884 | return err 885 | } 886 | 887 | // uri: https://cloudresourcemanager.googleapis.com/v1/projects/cicp-oidc:getAncestry?alt=json 888 | pss, err := crmService1.Projects.GetAncestry(strings.TrimLeft(r.Project, "projects/"), &crmv1.GetAncestryRequest{}).Do() 889 | if err != nil { 890 | err := handleError(err) 891 | if err != nil { 892 | glog.Fatal(err) 893 | } 894 | return err 895 | } 896 | 897 | for _, a := range pss.Ancestor { 898 | glog.V(2).Infof(" Ancestor: [%s/%s]\n", a.ResourceId.Type, a.ResourceId.Id) 899 | 900 | // https://cloudresourcemanager.googleapis.com/v1/projects/cicp-oidc:getIamPolicy?alt=json 901 | if a.ResourceId.Type == "project" { 902 | glog.V(10).Infof(" Project: [%s]\n", a.ResourceId.Id) 903 | 904 | ppolicy, err := crmService1.Projects.GetIamPolicy(a.ResourceId.Id, &crmv1.GetIamPolicyRequest{}).Context(ctx).Do() 905 | if err != nil { 906 | err := handleError(err) 907 | if err != nil { 908 | glog.Fatal(err) 909 | } 910 | return err 911 | } 912 | for _, b := range ppolicy.Bindings { 913 | glog.V(10).Infof(" Policy Binding %s", b.Role) 914 | } 915 | } 916 | // https://cloudresourcemanager.googleapis.com/v2/folders/750467892309:getIamPolicy?alt=json 917 | if a.ResourceId.Type == "folder" { 918 | glog.V(2).Infof(" Folder: [%s]\n", a.ResourceId.Id) 919 | ppolicy, err := crmService2.Folders.GetIamPolicy(fmt.Sprintf("folders/%s", a.ResourceId.Id), &crmv2.GetIamPolicyRequest{}).Context(ctx).Do() 920 | if err != nil { 921 | err := handleError(err) 922 | if err != nil { 923 | glog.Fatal(err) 924 | } 925 | return err 926 | } 927 | for _, b := range ppolicy.Bindings { 928 | glog.V(10).Infof(" Policy Binding %s", b.Role) 929 | } 930 | } 931 | 932 | // https://cloudresourcemanager.googleapis.com/v1/organizations/673208786098:getIamPolicy?alt=json 933 | if a.ResourceId.Type == "organization" { 934 | glog.V(2).Infof(" Organization: [%s]\n", a.ResourceId.Id) 935 | ppolicy, err := crmService1.Organizations.GetIamPolicy(fmt.Sprintf("organizations/%s", a.ResourceId.Id), &crmv1.GetIamPolicyRequest{}).Context(ctx).Do() 936 | if err != nil { 937 | err := handleError(err) 938 | if err != nil { 939 | glog.Fatal(err) 940 | } 941 | return err 942 | } 943 | for _, b := range ppolicy.Bindings { 944 | glog.V(10).Infof(" Policy Binding %s", b.Role) 945 | } 946 | } 947 | } 948 | } 949 | return nil 950 | } 951 | 952 | func remove(urlList []string, remove []string) []string { 953 | for i := 0; i < len(urlList); i++ { 954 | url := urlList[i] 955 | for _, rem := range remove { 956 | if url == rem { 957 | urlList = append(urlList[:i], urlList[i+1:]...) 958 | i-- 959 | break 960 | } 961 | } 962 | } 963 | return urlList 964 | } 965 | 966 | func handleError(err error) error { 967 | prettyErrors := gcperrors.New(gcperrors.Error{ 968 | Err: err, 969 | PrettyPrint: true, 970 | }) 971 | glog.Errorf("%s", prettyErrors) 972 | return err 973 | } 974 | 975 | func stringInSlice(a string, list []string) bool { 976 | for _, b := range list { 977 | if b == a { 978 | return true 979 | } 980 | } 981 | return false 982 | } 983 | 984 | func getIdentityAncestry(il *assetpb.IamPolicyAnalysisResult_IdentityList, target string, curr []string) []string { 985 | for _, l := range il.GroupEdges { 986 | if l.TargetNode == target { 987 | return getIdentityAncestry(il, l.SourceNode, append(curr, fmt.Sprintf(" --> %s ", l.SourceNode))) 988 | } 989 | } 990 | return curr 991 | } 992 | 993 | func recurseDelegationForResource(lidentity, lresource string, resp assetpb.AnalyzeIamPolicyResponse) { 994 | for _, result := range resp.ServiceAccountImpersonationAnalysis { 995 | for _, r := range result.AnalysisResults { 996 | for _, n := range r.IdentityList.Identities { 997 | if n.Name == lidentity { 998 | rn := transformResourceName(r.AttachedResourceFullName, lresource) 999 | if rn == lresource { 1000 | glog.V(2).Infof(" %s has iam permissions %s on [%s]", lidentity, r.IamBinding.Role, r.AttachedResourceFullName) 1001 | } 1002 | 1003 | if r.IamBinding.Role == "roles/iam.serviceAccountTokenCreator" { 1004 | re := regexp.MustCompile(iamServiceAccountsRegex) 1005 | rg := re.FindStringSubmatch(r.AttachedResourceFullName) 1006 | if len(rg) == 3 { 1007 | glog.V(2).Infof(" %s can impersonate %s", lidentity, rg[2]) 1008 | if lidentity == fmt.Sprintf("serviceAccount:%s", rg[2]) { 1009 | glog.V(2).Infof(" %s can self-impersonate, skipping to avoied recursion", rg[2]) 1010 | } else { 1011 | recurseDelegationForResource(fmt.Sprintf("serviceAccount:%s", rg[2]), lresource, resp) 1012 | } 1013 | } 1014 | } 1015 | } 1016 | } 1017 | } 1018 | } 1019 | } 1020 | 1021 | func transformResourceName(in string, provided string) string { 1022 | if strings.HasPrefix("//storage.googleapis.com/", in) { 1023 | return in 1024 | } 1025 | return provided 1026 | } 1027 | 1028 | func verifyPermissionsAsUser(ctx context.Context, ts oauth2.TokenSource, checkResource string, permstoTest []string) error { 1029 | 1030 | // verify permissions as end-user 1031 | var res []string 1032 | 1033 | // //bigquery.googleapis.com/projects/project-id/datasets/dataset-id 1034 | re := regexp.MustCompile(bigqueryTablesRegex) 1035 | res = re.FindStringSubmatch(checkResource) 1036 | if len(res) == 4 { 1037 | glog.V(2).Infof("==== TestIAMPermissions as BigQuery Tables Resource ====\n") 1038 | var bigQueryService *bigquery.Service 1039 | 1040 | bigQueryService, err := bigquery.NewService(ctx, option.WithTokenSource(ts), option.WithScopes(cloudPlatformScope)) 1041 | if err != nil { 1042 | return err 1043 | } 1044 | 1045 | ciamResp, err := bigQueryService.Tables.TestIamPermissions(fmt.Sprintf("projects/%s/datasets/%s/tables/%s", res[1], res[2], res[3]), &bigquery.TestIamPermissionsRequest{ 1046 | Permissions: permstoTest, 1047 | }).Do() 1048 | if err != nil { 1049 | glog.V(2).Infof(" Error getting IAM Permissions: %s\n", err) 1050 | 1051 | err := handleError(err) 1052 | if err != nil { 1053 | glog.Fatal(err) 1054 | } 1055 | return err 1056 | } 1057 | glog.V(2).Infof(" User permission on resource: \n") 1058 | for _, p := range ciamResp.Permissions { 1059 | glog.V(2).Infof(" %s\n", p) 1060 | } 1061 | } 1062 | 1063 | // //iam.googleapis.com/projects/project-id/serviceAccounts/service-account-email 1064 | 1065 | re = regexp.MustCompile(iamServiceAccountsRegex) 1066 | res = re.FindStringSubmatch(checkResource) 1067 | if len(res) == 3 { 1068 | glog.V(2).Infof("==== TestIAMPermissions as ServiceAccounts Resource ====\n") 1069 | var iamService *iam.Service 1070 | 1071 | iamService, err := iam.NewService(ctx, option.WithTokenSource(ts), option.WithScopes(cloudPlatformScope)) 1072 | if err != nil { 1073 | return err 1074 | } 1075 | 1076 | ciamResp, err := iamService.Projects.ServiceAccounts.TestIamPermissions(fmt.Sprintf("projects/%s/serviceAccounts/%s", res[1], res[2]), &iam.TestIamPermissionsRequest{ 1077 | Permissions: permstoTest, 1078 | }).Do() 1079 | if err != nil { 1080 | glog.V(2).Infof(" Error getting IAM Permissions: %s\n", err) 1081 | 1082 | err := handleError(err) 1083 | if err != nil { 1084 | glog.Fatal(err) 1085 | } 1086 | return err 1087 | } 1088 | glog.V(2).Infof(" User permission on resource: \n") 1089 | for _, p := range ciamResp.Permissions { 1090 | glog.V(2).Infof(" %s\n", p) 1091 | } 1092 | } 1093 | 1094 | // //iam.googleapis.com/projects/project-id/serviceAccounts/service-account-email/keys/key-id 1095 | 1096 | re = regexp.MustCompile(serviceAccountsKeysRegex) 1097 | res = re.FindStringSubmatch(checkResource) 1098 | if len(res) == 4 { 1099 | glog.V(2).Infof("==== TestIAMPermissions as ServiceAccount Keys Resource ====\n") 1100 | var iamService *iam.Service 1101 | 1102 | iamService, err := iam.NewService(ctx, option.WithTokenSource(ts), option.WithScopes(cloudPlatformScope)) 1103 | if err != nil { 1104 | glog.Fatal(err) 1105 | } 1106 | 1107 | ciamResp, err := iamService.Projects.ServiceAccounts.TestIamPermissions(fmt.Sprintf("projects/%s/serviceAccounts/%s/keys/%s", res[1], res[2], res[3]), &iam.TestIamPermissionsRequest{ 1108 | Permissions: permstoTest, 1109 | }).Do() 1110 | if err != nil { 1111 | glog.V(2).Infof(" Error getting IAM Permissions: %s\n", err) 1112 | 1113 | err := handleError(err) 1114 | if err != nil { 1115 | glog.Fatal(err) 1116 | } 1117 | return err 1118 | } 1119 | glog.V(2).Infof(" User permission on resource: \n") 1120 | for _, p := range ciamResp.Permissions { 1121 | glog.V(2).Infof(" %s\n", p) 1122 | } 1123 | } 1124 | 1125 | // //iap.googleapis.com/projects/project-number/iap_web/appengine-project-id/services/app-service-id 1126 | 1127 | re = regexp.MustCompile(iapAppEngineRegex) 1128 | res = re.FindStringSubmatch(checkResource) 1129 | if len(res) == 4 { 1130 | 1131 | glog.V(2).Infof("==== TestIAMPermissions as IAP AppEngine Resource ==== %s\n", res[2]) 1132 | 1133 | var iapService *iap.Service 1134 | 1135 | iapService, err := iap.NewService(ctx, option.WithTokenSource(ts), option.WithScopes(cloudPlatformScope)) 1136 | if err != nil { 1137 | return err 1138 | } 1139 | 1140 | ciamResp, err := iapService.V1.TestIamPermissions(fmt.Sprintf("projects/%s/iap_web/appengine-%s/services/%s", res[1], res[2], res[3]), &iap.TestIamPermissionsRequest{ 1141 | Permissions: permstoTest, 1142 | }).Do() 1143 | if err != nil { 1144 | glog.V(2).Infof(" Error getting IAM Permissions: %s\n", err) 1145 | 1146 | err := handleError(err) 1147 | if err != nil { 1148 | glog.Fatal(err) 1149 | } 1150 | return err 1151 | } 1152 | glog.V(2).Infof(" User permission on resource: \n") 1153 | for _, p := range ciamResp.Permissions { 1154 | glog.V(2).Infof(" %s\n", p) 1155 | } 1156 | 1157 | } 1158 | 1159 | // //iap.googleapis.com/projects/project-number/iap_web/compute/services/backend-service-id 1160 | 1161 | re = regexp.MustCompile(iapGCERegex) 1162 | res = re.FindStringSubmatch(checkResource) 1163 | if len(res) == 3 { 1164 | glog.V(2).Infof("==== TestIAMPermissions as IAP ComputeEngine Resource ====\n") 1165 | var iapService *iap.Service 1166 | 1167 | iapService, err := iap.NewService(ctx, option.WithTokenSource(ts), option.WithScopes(cloudPlatformScope)) 1168 | if err != nil { 1169 | return err 1170 | } 1171 | 1172 | ciamResp, err := iapService.V1.TestIamPermissions(fmt.Sprintf("projects/%s/iap_web/compute/services/%s", res[1], res[2]), &iap.TestIamPermissionsRequest{ 1173 | Permissions: permstoTest, 1174 | }).Do() 1175 | if err != nil { 1176 | glog.V(2).Infof(" Error getting IAM Permissions: %s\n", err) 1177 | 1178 | err := handleError(err) 1179 | if err != nil { 1180 | glog.Fatal(err) 1181 | } 1182 | return err 1183 | } 1184 | glog.V(2).Infof(" User permission on resource: \n") 1185 | for _, p := range ciamResp.Permissions { 1186 | glog.V(2).Infof(" %s\n", p) 1187 | } 1188 | } 1189 | 1190 | // //spanner.googleapis.com/projects/project-id/instances/instance-id 1191 | 1192 | re = regexp.MustCompile(spannerInstances) 1193 | res = re.FindStringSubmatch(checkResource) 1194 | if len(res) == 3 { 1195 | glog.V(2).Infof("==== TestIAMPermissions as Spanner Resource ====\n") 1196 | var spannerService *spanner.Service 1197 | 1198 | spannerService, err := spanner.NewService(ctx, option.WithTokenSource(ts), option.WithScopes(cloudPlatformScope)) 1199 | if err != nil { 1200 | return err 1201 | } 1202 | 1203 | ciamResp, err := spannerService.Projects.Instances.TestIamPermissions(fmt.Sprintf("projects/%s/instances/%s", res[1], res[2]), &spanner.TestIamPermissionsRequest{ 1204 | Permissions: permstoTest, 1205 | }).Do() 1206 | if err != nil { 1207 | glog.V(2).Infof(" Error getting IAM Permissions: %s\n", err) 1208 | 1209 | err := handleError(err) 1210 | if err != nil { 1211 | glog.Fatal(err) 1212 | } 1213 | return err 1214 | } 1215 | glog.V(2).Infof(" User permission on resource: \n") 1216 | for _, p := range ciamResp.Permissions { 1217 | glog.V(2).Infof(" %s\n", p) 1218 | } 1219 | } 1220 | 1221 | // //storage.googleapis.com/projects/_/buckets/bucket-id 1222 | re = regexp.MustCompile(storageBucketsRegex) 1223 | res = re.FindStringSubmatch(checkResource) 1224 | 1225 | if len(res) == 2 { 1226 | 1227 | glog.V(2).Infof("==== TestIAMPermissions as GCS Bucket Resource ====\n") 1228 | 1229 | var storageService *storage.Service 1230 | 1231 | storageService, err := storage.NewService(ctx, option.WithTokenSource(ts), option.WithScopes(cloudPlatformScope)) 1232 | if err != nil { 1233 | return err 1234 | } 1235 | 1236 | // these permissions haven't propagated out yet as of 2/2/22 1237 | // https://github.com/salrashid123/iam_bq_dataset 1238 | permstoTest = remove(permstoTest, []string{ 1239 | "storage.objects.getIamPolicy", 1240 | "storage.objects.setIamPolicy", 1241 | "storage.buckets.createTagBinding", 1242 | "storage.buckets.deleteTagBinding", 1243 | "storage.buckets.listTagBindings", 1244 | "resourcemanager.resourceTagBindings.create", 1245 | "resourcemanager.resourceTagBindings.delete", 1246 | "resourcemanager.resourceTagBindings.list", 1247 | "resourcemanager.hierarchyNodes.createTagBinding", 1248 | "resourcemanager.hierarchyNodes.deleteTagBinding", 1249 | "resourcemanager.hierarchyNodes.listEffectiveTags", 1250 | "resourcemanager.hierarchyNodes.listTagBindings", 1251 | }) 1252 | 1253 | ciamResp, err := storageService.Buckets.TestIamPermissions(res[1], permstoTest).Do() 1254 | if err != nil { 1255 | glog.V(2).Infof(" Error getting IAM Permissions: %s\n", err) 1256 | 1257 | err := handleError(err) 1258 | if err != nil { 1259 | glog.Fatal(err) 1260 | } 1261 | return err 1262 | } 1263 | glog.V(2).Infof(" User permission on resource: \n") 1264 | for _, p := range ciamResp.Permissions { 1265 | glog.V(2).Infof(" %s\n", p) 1266 | } 1267 | } 1268 | 1269 | // //run.googleapis.com/projects/project-id/locations/location-id/services/service-id 1270 | 1271 | re = regexp.MustCompile(cloudRunRegex) 1272 | res = re.FindStringSubmatch(checkResource) 1273 | 1274 | if len(res) == 4 { 1275 | 1276 | glog.V(2).Infof("==== TestIAMPermissions as Cloud RUn Resource ====\n") 1277 | 1278 | var err error 1279 | var runService *run.Service 1280 | 1281 | runService, err = run.NewService(ctx, option.WithTokenSource(ts), option.WithScopes(cloudPlatformScope)) 1282 | if err != nil { 1283 | return err 1284 | } 1285 | 1286 | // these permissions haven't propagated out yet as of 2/2/22 1287 | // https://github.com/salrashid123/iam_bq_dataset 1288 | permstoTest = remove(permstoTest, []string{}) 1289 | ciamResp, err := runService.Projects.Locations.Services.TestIamPermissions(fmt.Sprintf("projects/%s/locations/%s/services/%s", res[1], res[2], res[3]), &run.GoogleIamV1TestIamPermissionsRequest{ 1290 | Permissions: permstoTest, 1291 | }).Do() 1292 | if err != nil { 1293 | glog.V(2).Infof(" Error getting IAM Permissions: %s\n", err) 1294 | 1295 | err := handleError(err) 1296 | if err != nil { 1297 | glog.Fatal(err) 1298 | } 1299 | return err 1300 | } 1301 | glog.V(2).Infof(" User permission on resource: \n") 1302 | for _, p := range ciamResp.Permissions { 1303 | glog.V(2).Infof(" %s\n", p) 1304 | } 1305 | } 1306 | 1307 | // //compute.googleapis.com/projects/project-id/zones/zone/instances/instance-id 1308 | re = regexp.MustCompile(computeInstanceRegex) 1309 | res = re.FindStringSubmatch(checkResource) 1310 | 1311 | if len(res) == 4 { 1312 | 1313 | glog.V(2).Infof("==== TestIAMPermissions as Compute Instance Resource ====\n") 1314 | 1315 | var computeService *compute.Service 1316 | 1317 | computeService, err := compute.NewService(ctx, option.WithTokenSource(ts), option.WithScopes(cloudPlatformScope)) 1318 | if err != nil { 1319 | return err 1320 | } 1321 | 1322 | ciamResp, err := computeService.Instances.TestIamPermissions(res[1], res[2], res[3], &compute.TestPermissionsRequest{ 1323 | Permissions: permstoTest, 1324 | }).Do() 1325 | if err != nil { 1326 | glog.V(2).Infof(" Error getting IAM Permissions: %s\n", err) 1327 | 1328 | err := handleError(err) 1329 | if err != nil { 1330 | glog.Fatal(err) 1331 | } 1332 | return err 1333 | } 1334 | glog.V(2).Infof(" User permission on resource: \n") 1335 | for _, p := range ciamResp.Permissions { 1336 | glog.V(2).Infof(" %s\n", p) 1337 | } 1338 | } 1339 | 1340 | // //compute.googleapis.com/projects/project-id/global/networks/network 1341 | re = regexp.MustCompile(computeNetworksRegex) 1342 | res = re.FindStringSubmatch(checkResource) 1343 | 1344 | if len(res) == 3 { 1345 | 1346 | glog.V(2).Infof("==== TestIAMPermissions as Compute Network Resource ====\n") 1347 | return errors.New("Unimplemented") 1348 | 1349 | // var computeService *compute.Service 1350 | 1351 | // computeService, err = compute.NewService(ctx, option.WithTokenSource(ts)) 1352 | // if err != nil { 1353 | // glog.Fatal(err) 1354 | // } 1355 | 1356 | // ciamResp, err := computeService.Networks.TestIamPermissions(res[1], res[2], res[3], &compute.TestPermissionsRequest{ 1357 | // Permissions: permstoTest, 1358 | // }).Do() 1359 | // if err != nil { 1360 | // glog.V(2).Infof(" Error getting IAM Permissions: %s\n", err) 1361 | 1362 | // err := handleError(err) 1363 | // if err != nil { 1364 | // glog.Fatal(err) 1365 | // } 1366 | // return 1367 | // } 1368 | // glog.V(2).Infof(" User permission on resource: \n") 1369 | // for _, p := range ciamResp.Permissions { 1370 | // glog.V(2).Infof(" %s\n", p) 1371 | // } 1372 | } 1373 | 1374 | // //compute.googleapis.com/projects/project-id/regions/region/subnetworks/subnetwork 1375 | re = regexp.MustCompile(computeSubNetworksRegex) 1376 | res = re.FindStringSubmatch(checkResource) 1377 | 1378 | if len(res) == 4 { 1379 | 1380 | glog.V(2).Infof("==== TestIAMPermissions as Compute SubNetwork Resource ====\n") 1381 | 1382 | var computeService *compute.Service 1383 | 1384 | computeService, err := compute.NewService(ctx, option.WithTokenSource(ts), option.WithScopes(cloudPlatformScope)) 1385 | if err != nil { 1386 | return err 1387 | } 1388 | 1389 | ciamResp, err := computeService.Subnetworks.TestIamPermissions(res[1], res[2], res[3], &compute.TestPermissionsRequest{ 1390 | Permissions: permstoTest, 1391 | }).Do() 1392 | if err != nil { 1393 | glog.V(2).Infof(" Error getting IAM Permissions: %s\n", err) 1394 | 1395 | err := handleError(err) 1396 | if err != nil { 1397 | glog.Fatal(err) 1398 | } 1399 | return err 1400 | } 1401 | glog.V(2).Infof(" User permission on resource: \n") 1402 | for _, p := range ciamResp.Permissions { 1403 | glog.V(2).Infof(" %s\n", p) 1404 | } 1405 | } 1406 | 1407 | // //container.googleapis.com/projects/project-id/clusters/cluster-id 1408 | re = regexp.MustCompile(kubernetesEngineRegex) 1409 | res = re.FindStringSubmatch(checkResource) 1410 | 1411 | if len(res) == 3 { 1412 | glog.V(2).Infof("==== TestIAMPermissions on Kubernetes Engine Resource ====\n") 1413 | return errors.New("Unimplemented") 1414 | 1415 | // var containerService *container.Service 1416 | 1417 | // containerService, err = container.NewService(ctx, option.WithTokenSource(ts)) 1418 | // if err != nil { 1419 | // glog.Fatal(err) 1420 | // } 1421 | 1422 | // ciamResp, err := containerService.Clusters.TestIamPermissions(res[1], res[2], &container.TestPermissionsRequest{ 1423 | // Permissions: permstoTest, 1424 | // }).Do() 1425 | // if err != nil { 1426 | // glog.V(2).Infof(" Error getting IAM Permissions: %s\n", err) 1427 | 1428 | // err := handleError(err) 1429 | // if err != nil { 1430 | // glog.Fatal(err) 1431 | // } 1432 | // return 1433 | // } 1434 | // glog.V(2).Infof(" User permission on resource: \n") 1435 | // for _, p := range ciamResp.Permissions { 1436 | // glog.V(2).Infof(" %s\n", p) 1437 | // } 1438 | } 1439 | 1440 | // //cloudresourcemanager.googleapis.com/organizations/numeric-id 1441 | re = regexp.MustCompile(resourceManagerOrganizationRegex) 1442 | res = re.FindStringSubmatch(checkResource) 1443 | 1444 | if len(res) == 2 { 1445 | glog.V(2).Infof("==== TestIAMPermissions on Organizations ====\n") 1446 | 1447 | var crmService *crmv1.Service 1448 | 1449 | crmService, err := crmv1.NewService(ctx, option.WithTokenSource(ts), option.WithScopes(cloudPlatformScope)) 1450 | if err != nil { 1451 | return err 1452 | } 1453 | 1454 | if len(permstoTest) > 100 { 1455 | max := 50 1456 | var divided [][]string 1457 | 1458 | chunkSize := (len(permstoTest) + max - 1) / max 1459 | 1460 | for i := 0; i < len(permstoTest); i += chunkSize { 1461 | end := i + chunkSize 1462 | 1463 | if end > len(permstoTest) { 1464 | end = len(permstoTest) 1465 | } 1466 | 1467 | divided = append(divided, permstoTest[i:end]) 1468 | } 1469 | glog.V(2).Infof(" User permission on resource: \n") 1470 | for _, kk := range divided { 1471 | 1472 | ciamResp, err := crmService.Organizations.TestIamPermissions(fmt.Sprintf("organizations/%s", res[1]), &crmv1.TestIamPermissionsRequest{ 1473 | Permissions: kk, 1474 | }).Do() 1475 | if err != nil { 1476 | glog.V(2).Infof(" Error getting IAM Permissions: %s\n", err) 1477 | 1478 | err := handleError(err) 1479 | if err != nil { 1480 | glog.Fatal(err) 1481 | } 1482 | return err 1483 | } 1484 | for _, p := range ciamResp.Permissions { 1485 | glog.V(2).Infof(" %s\n", p) 1486 | } 1487 | } 1488 | } 1489 | } 1490 | 1491 | // //cloudresourcemanager.googleapis.com/projects/project-id 1492 | re = regexp.MustCompile(resourceManagerProjectsRegex) 1493 | res = re.FindStringSubmatch(checkResource) 1494 | 1495 | if len(res) == 2 { 1496 | glog.V(2).Infof("==== TestIAMPermissions on Project ====\n") 1497 | 1498 | var crmService *crmv1.Service 1499 | 1500 | crmService, err := crmv1.NewService(ctx, option.WithTokenSource(ts), option.WithScopes(cloudPlatformScope)) 1501 | if err != nil { 1502 | return err 1503 | } 1504 | 1505 | if len(permstoTest) > 100 { 1506 | max := 50 1507 | var divided [][]string 1508 | 1509 | chunkSize := (len(permstoTest) + max - 1) / max 1510 | 1511 | for i := 0; i < len(permstoTest); i += chunkSize { 1512 | end := i + chunkSize 1513 | 1514 | if end > len(permstoTest) { 1515 | end = len(permstoTest) 1516 | } 1517 | 1518 | divided = append(divided, permstoTest[i:end]) 1519 | } 1520 | glog.V(2).Infof(" User permission on resource: \n") 1521 | for _, kk := range divided { 1522 | 1523 | ciamResp, err := crmService.Projects.TestIamPermissions(res[1], &crmv1.TestIamPermissionsRequest{ 1524 | Permissions: kk, 1525 | }).Do() 1526 | if err != nil { 1527 | glog.V(2).Infof(" Error getting IAM Permissions: %s\n", err) 1528 | 1529 | err := handleError(err) 1530 | if err != nil { 1531 | glog.Fatal(err) 1532 | } 1533 | return err 1534 | } 1535 | for _, p := range ciamResp.Permissions { 1536 | glog.V(2).Infof(" %s\n", p) 1537 | } 1538 | } 1539 | } 1540 | } 1541 | return nil 1542 | } 1543 | --------------------------------------------------------------------------------